14.3. Incidents Log

The Incidents log tab shows the list of existing cybersecurity incidents with the details shown in the following table:

Name in database

Name in search query

Description

Created

date

The date and time of incident creation.

Updated

updateDate

The date and time of the last update.

ID

incidentPrefix

The incident's prefix (INC-N, where N is the ordinal number of the incident, starting from 0).

Name

incidentName

The name of the incident.

Rule

rule

The name of the analytics rule the triggering of which caused the automatic creation of the incident as a result of the Create incident response action configured for the rule.

Status

status

The incident's state.

There are three state groups that determine the position of the state in the state schema:

  • OPEN: assigned to incident states in which the work on the incident is not started yet or paused. Usually, these are initial incident states, such as "Created". All states from this group are marked blue in the web console.

  • IN PROGRESS: assigned to incident states in which the work on the incident is in progress but not completed yet. These are intermediate incident states, such as "In progress" or "Investigation". All states from this group are marked yellow in the web console.

  • CLOSED: assigned to incident states in which the work on the incident is completed. These are final incident states, such as "Completed" or "Closed". To transition to a state from this group, you need to provide a resolution for the incident, such as "False positive", "True positive", or "Completed". All states from this group are marked green in the web console.

In UserGate, a schema named "Incident" is created by default that includes transitions between all possible states. Incident schemas can be added in the General settings --> Incident settings --> Incident schema section.

Additional incident states can be defined in the General settings --> Incident settings ‑‑> Incident states tab. For more details, see the section Incident Settings.

Resolution

resolution

The resolution of the incident. The following predefined resolutions are available:

  • False positive: the incident is a false positive.

  • True positive: the incident is a true positive.

  • Duplicate: the problem is a duplicate of an existing one.

  • Won't do: the task cannot be accomplished.

  • Done: the problem is resolved.

Additional incident resolutions can be defined in the General settings --> Incident settings ‑‑> Incident resolutions tab. For more details, see the section Incident Settings.

Type

type

The incident type. By default, two incident types are available: a security incident and a task. Additional incident types can be defined in the General settings --> Incident settings ‑‑> Incident types section. For more details, see the section Incident Settings.

Priority

priority

The incident's priority:

  • Low.

  • Normal.

  • Important.

  • Critical.

Reporter

reporter

The name of the administrator who created the incident.

Last change by

lastChangeBy

The name of the administrator who made the last change.

Assignee

assignee

The name of the administrator assigned to the incident.

Activity

  

The number of comments, triggered analytics rule alerts, and event logs added to the incident.

The administrator can select to display only the columns they need. To do that, point the mouse cursor to the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.

You can filter incidents using the parameters shown in the table. Two filter modes are available, basic and advanced (for more details on the advanced search mode, see the section Data Search and Filtering).

You can save a configured filter by clicking Save as. To view the list of saved search filters, click Favorite filters.

By clicking Export as CSV, the administrator can save the filtered incident list in a .csv file for subsequent analysis.