The Incidents log tab shows the list of existing cybersecurity incidents with the details shown in the following table:
Name in database |
Name in search query |
Description |
---|---|---|
Created |
date |
The date and time of incident creation. |
Updated |
updateDate |
The date and time of the last update. |
ID |
incidentPrefix |
The incident's prefix (INC-N, where N is the ordinal number of the incident, starting from 0). |
Name |
incidentName |
The name of the incident. |
Rule |
rule |
The name of the analytics rule the triggering of which caused the automatic creation of the incident as a result of the Create incident response action configured for the rule. |
Status |
status |
The incident's state. There are three state groups that determine the position of the state in the state schema:
In UserGate, a schema named "Incident" is created by default that includes transitions between all possible states. Incident schemas can be added in the General settings --> Incident settings --> Incident schema section. Additional incident states can be defined in the General settings --> Incident settings ‑‑> Incident states tab. For more details, see the section Incident Settings. |
Resolution |
resolution |
The resolution of the incident. The following predefined resolutions are available:
Additional incident resolutions can be defined in the General settings --> Incident settings ‑‑> Incident resolutions tab. For more details, see the section Incident Settings. |
Type |
type |
The incident type. By default, two incident types are available: a security incident and a task. Additional incident types can be defined in the General settings --> Incident settings ‑‑> Incident types section. For more details, see the section Incident Settings. |
Priority |
priority |
The incident's priority:
|
Reporter |
reporter |
The name of the administrator who created the incident. |
Last change by |
lastChangeBy |
The name of the administrator who made the last change. |
Assignee |
assignee |
The name of the administrator assigned to the incident. |
Activity |
The number of comments, triggered analytics rule alerts, and event logs added to the incident. |
The administrator can select to display only the columns they need. To do that, point the mouse cursor to the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.
You can filter incidents using the parameters shown in the table. Two filter modes are available, basic and advanced (for more details on the advanced search mode, see the section Data Search and Filtering).
You can save a configured filter by clicking Save as. To view the list of saved search filters, click Favorite filters.
By clicking Export as CSV, the administrator can save the filtered incident list in a .csv file for subsequent analysis.