Clicking the Show button will take you to a new tab (with the name formed of the ID and the entered incident name) showing details about the selected incident. In this tab, you can also Edit and Comment on the incident, Assign a different person to the incident, and change the Workflow state. In addition to the incident details displayed in the Incidents log tab (see more in the Incidents Log section), you can view the following information.
The Triggered alerts section shows the triggered analytics rule alerts added to the incident. For more details, see the section Triggered Alerts. To add triggered alerts to the incident, click Add to incident and select the triggered alerts to be added to the incident. To view the details for a triggered alert for analytics rule, select it and click Show details. You can also view triggered alert details by clicking Show. To remove the triggered alert for analytics rule from the incident, click Remove from incident. By clicking Export as CSV, you can save the list of triggered analytics rule alerts added to incidents in a .csv file for subsequent analysis.
The Logs section displays detailed information about events from all logs (for more details on log records, see the section Analytics Search). To add events to the incident, click Add to incident select the events to be added. To remove unneeded events, use the Remove from incident button.
The Observables section displays the observation results for the objects specified in the settings. Observables are needed to simplify the analysis of a cybersecurity incident, make the right decision, and reduce the time spent on the incident. The relevant information is obtained with the help of enrichment services (for more on these, see the section External Enrichment Services). To view the detailed information provided by an enrichment service, open the enrichment service settings by clicking on the service.
To create an observable, click Add and provide the settings shown in the table below.
Name |
Description |
---|---|
Observable type |
Select one of the following observable types:
|
Value |
Specify the object to deal with, such as an IP address, domain, etc. |
Attack type |
Select one of the following attack types:
|
TLP |
A TLP (Traffic Light Protocol) marking of confidential information. The following TLP marks are possible:
|
Is IoC? |
Set this checkbox if the object is a potential indicator of compromise. |
Services |
The list of services used to obtain additional information on the observable objects. Displayed automatically after selecting the observable type. Available in the General settings --> Libraries --> External enrichment services section. For more details, see the section External Enrichment Services. |
Updated |
The date and time when the service was last updated. |
To edit or remove observables, use the Edit or Remove buttons, respectively.
In the Activity section, you can view the comments for the incident and its change history (adding watchers, changing the workflow state, etc.).
To generate a report on the incident, click Generate report and select one of the following:
-
Incident report: a custom report that can be generated in English or Russian using PDF or HTML formats. You can use the templates listed in the Logs and reports --> Incident reports --> Incident report rules section.
-
GOSSOPKA report: uses the GOSSOPKA incident info template that conforms to the requirements for GosSOPKA reports. The report can be simply downloaded (using the Generate file button) or sent directly in the desired format to the specified GosSOPKA system account (using the Send via net button). To send the report automatically, the user must specify their GosSOPKA account and provide a secure data link. For more details, see the section Sending Cybersecurity Incident Reports to GosSOPKA.