14.1. Incident Settings

Incident investigation is a multi-stage process where the incident is assigned a certain State at each stage, e.g., "Open" --> "Need more info" --> "In progress" --> "Closed". Transition between states is possible based on certain rules set by the administrator - e.g., a direct transition from "Open" to "Closed" is not allowed. The possible incident state transitions are defined in an Incident schema.

When the investigation of an incident is completed, a Resolution is assigned to the incident, such as "False positive", "True positive", "Completed", etc.

The Incident type is selected at the time of incident creation and determines the purpose of the incident. Examples of incident types are "Security incident", "Task", etc.

The Incident schema brings together the incident states, possible state transitions, resolutions, and incident types to form an integrated process of cybersecurity incident investigation.

UserGate LogAn allows you to customize the incident investigation process to the needs of a specific company. After the initial configuration of the resolution, an incident schema with the default name of "Incident" is created. The system administrator can edit the existing schema or create a new one. Multiple incident schemas can be created but only one, the active schema, can be used.

To create a new incident schema, follow these steps:

Task

Description

Step 1. Create the desired incident resolutions.

In the Incident settings --> Incident resolutions section, click Add, provide a name and description for the resolution being created and click Save.

Step 2. Create incident types.

In the Incident settings --> Incident types section, click Add, provide a name and description for the incident type being created and click Save.

Step 3. Create incident states.

In the Incident settings --> Incident states section, click Add, provide a name, description, and group for the incident state being created and click Save. A state group determines the position of the state in the state schema. There are three types of group:

  • OPEN: assigned to incident states in which the work on the incident is not started yet or paused. Usually, these are initial incident states, such as "Created". All states from this group are marked blue in the web console.

  • IN PROGRESS: assigned to incident states in which the work on the incident is in progress but not completed yet. These are intermediate incident states, such as "In progress" or "Investigation". All states from this group are marked yellow in the web console.

  • CLOSED: assigned to incident states in which the work on the incident is completed. These are final incident states, such as "Completed" or "Closed". To transition to a state from this group, you need to provide a resolution for the incident, such as "False positive", "True positive", or "Completed". All states from this group are marked green in the web console.

When you have defined all fields, click Save.

Step 4. Create an incident schema.

In the Incident settings --> Incident schema section, click Add and provide the following settings:

  • Set active: make this schema active. Only one schema can be active; if another schema was active before, this action will make it inactive, and all new and existing incidents will use the new schema.

  • Schema: the name of the schema.

  • Prefix: the prefix that will be used to assign IDs to incidents being created. An ID will have the format of "<Prefix>-<Number>", e.g., "INC-99".

  • Description: an optional description of the schema.

  • Workflow states: all states that the incident can take during its lifecycle. Add all incident states here that you created at the previous step.

  • Initial state: the state that an incident will take on creation.

  • Transitions: specify all possible state transitions here and give them names. For example, create a transition named Activate that will take the incident from an OPEN state to an IN PROGRESS state. An incident can be transitioned between states only if a transition is defined between them.

  • Incident resolutions: the list of the possible incident resolutions. A resolution is required when the ticket investigation is being completed, i.e. transitioned to a CLOSED state. Select all the required resolutions that you created earlier.

  • Incident types: the incident types that can be used with this schema.

Step 5. Activate the incident schema.

After creating an incident schema, it needs to be activated. To do that, set the Set active checkbox in the incident schema settings.