Incident Settings

Incident investigation is a multi-stage process where the incident is assigned a certain State at each stage, e.g., Open ➜ Need more info ➜ In progress ➜ Closed. Transition between states is possible based on certain rules set by the administrator --- e.g., a direct transition from Open to Closed is not allowed. The possible incident state transitions are defined in an Incident schema.

When the investigation of an incident is completed, a Resolution is assigned to the incident, such as "False positive", "True positive", "Completed", etc.

The Incident type is selected at the time of incident creation and determines the purpose of the incident. Examples of incident types are "Security incident", "Task", etc.

The Incident schema brings together the incident states, possible state transitions, resolutions, and incident types to form an integrated process of cybersecurity incident investigation.

UserGate SIEM allows you to customize the incident investigation process to the needs of a specific company. After the initial configuration of the resolution, an incident schema with the default name of Incident is created. The system administrator can edit the existing schema or create a new one. Multiple incident schemas can be created but only one, the active schema, can be used.

To create a new incident schema, follow these steps:

Name

Description

Step 1. Create the desired incident resolutions

Under Incident settings ➜ Incident resolutions, click Add, provide a name and description for the resolution being created and click Save.

Step 2. Create incident types

Under Incident settings ➜ Incident types, click Add, provide a name and description for the incident type being created and click Save.

Step 3. Create incident states

Under Incident settings ➜ Incident states, click Add and provide the name, description, and group for the incident state being created. A state group determines the position of the state in the state schema. There are three types of group:

  • Open: assigned to incident states in which the work on the incident is not started yet or paused. Usually, these are initial incident states, such as "Created". All states from this group are marked blue in the web console.

  • In Progress: assigned to incident states in which the work on the incident is in progress but not completed yet. These are intermediate incident states, such as "In progress" or "Investigation". All states from this group are marked yellow in the web console.

  • Closed: assigned to incident states in which the work on the incident is completed. These are final incident states, such as "Completed" or "Closed". To transition to a state from this group, you need to provide a resolution for the incident, such as "False positive", "True positive", or "Completed". All states from this group are marked green in the web console.

When you have defined all fields, click Save.

Step 4. Create incident schema

Under Incident settings ➜ Incident schema, click Add and provide the following settings:

  • Set active: make this schema active. Only one schema can be active; if another schema was active before, this action will make it inactive, and all new and existing incidents will use the new schema.

  • Schema: the name of the schema.

  • Prefix: the prefix that will be used to assign IDs to incidents being created. An ID will have the format of -, e.g., INC-99.

  • Description: an optional description of the schema.

  • Workflow states: all states that the incident can take during its lifecycle. Add all incident states here that you created at the previous step.

  • Initial state: the state that an incident will take on creation.

  • Transitions: specify all possible state transitions here and give them names. For example, create a transition named Activate that will take the incident from an Open state to an In Progress state. An incident can be transitioned between states only if a transition is defined between them.

  • Incident resolutions: the list of the possible incident resolutions. A resolution is required when the ticket investigation is being completed, i.e. transitioned to a Closed state. Select all the required resolutions that you created earlier.

  • Incident types: the incident types that can be used with this schema.

Step 5. Activate the incident schema

After creating an incident schema, it needs to be activated. To do that, set the Set active checkbox in the incident schema settings.