Incidents

To view incidents on the platform click Threat Center then choose Incidents. The Incidents page displays information about all the security or compliance events that require attention. Incidents are found by the platform, which continuously monitors your organization’s assets, apps, and identities for breaches.

A detection rule is a set of conditions that, when breached, generate an incident. See Detection Rules.

Incidents are only generated from applications that are integrated with the Platform.

The Incidents page

The incidents page can display a list of incidents and a detailed view of a single incident (Single Incident Pane).

At the upper left is a number displaying the total number of filtered incidents (when filtered) and all the incidents when unfiltered. The filters appear just above the Single Incidents pane. You can use as many filters as needed by adding them one-by-one with the + button.

The Incidents list shows all the incidents when unfiltered, or just the incidents that were filtered. Each entry in the list contains several elements:

  • the name of the incident

  • the date the incident was reported

  • a short description of the incident

  • the application that is affected by the incident

  • checkbox (for assigning or closing the incident)

When you click the checkbox, two options open at the bottom of the list:

  • Assign (assign the issue to another platform user in your organization to review)

  • Close (close the incident)

You can sort the list of incidents by clicking and selecting one of the sort options: Newest (default), Oldest, Highest Severity, Lowest Severity, or Recently Updated.

Bulk operations

You can assign or close multiple incidents at one time, either by selecting each incident, selecting grouped incidents, or selecting all the incidents at one time.

To perform an action to some incidents:

  1. Select the incidents.

  2. Click the action to perform.

To perform an action to a group of incidents:

  • Select a group of incidents:

  • In the Group By selection (above the incidents count), select a grouping (for example App, or Asset).

  • Select the group incidents.

  • Click the action to perform.

To perform an action to all incidents:

  1. Select the box next to the total number of incidents.

  2. To select all the incidents, click Select all X items.

  3. Click the action to perform.

Filtering Incidents

The filters (above the Incident pane) enable you to focus on a specific set of incidents. To use a filter:

  1. Click the + button.

  2. Select a field.

  3. Select the option in the field to filter.

  4. Select as many filters as you need.

To remove a filter from your selections, click the small x near the filter, or hit the backspace key.

The number of incidents shows the number of incidents that were filtered. In some cases, the picklist will include the number of filtered incidents that exist.

Downloading Incidents

You can download incidents into a CSV file by clicking the download icon. If your list exceeds 5K entries, filter the content.

You can configure sending a CSV containing all incident changes in the last 30 days to recipients on a weekly, monthly, or quarterly basis. For more information, see Recurring Reports.

The Incidents Pane

The Incidents pane displays the incident selected in the Incident list (the first incident is the default). Most of the information about an incident appears in the Overview pane. The Graph pane displays the environment in which the incident occurred.

Editable Properties

You can change the severity, status, and assignee values by clicking them and selecting something else from the pick list.

Closing and Reopening Incidents

To close an incident, click Close Incident button at the top of the Single Incident Page. Closed incidents are marked as irrelevant or fixed by the client. Afterwards, the button changes to Reopen Incident, and clicking it reopens the incident. These actions are listed in the timeline.

If you click a resource or identity anywhere on the Incidents page, its Single Entity Page opens.

Timeline

The timeline pane displays all the activities related to the incident in reverse chronological order since the day the incident was found.

Graph

The graph pane shows the identity responsible for the incident in the environment where it was found.

Background Information

An entity can be a cloud identity or asset.