Processing Incidents

The Incidents page displays information about all the security or compliance events that require attention. The platform continuously monitors your organization’s assets, applications, and identities for breaches, and generates incidents. Incidents are only generated from applications that are integrated with the platform.

Incidents are generated by detection rules. A detection rule is a set of conditions that, when breached, generates an incident. See Setting Detection Rules.

To view incidents on the Delinea Platform:

In the left navigation, select Threat Center, then select Incidents.

The Incidents Page

The Incidents page displays a list of incidents and a detailed view of a single incident in the Single Incident Pane.

At the upper left of the page is the total number of incidents displayed in the page. This number is either all the incidents or, if you have applied filters to the list, the number of incidents that matched the filter criteria. See Filtering Incidents.

For each incident in the list, the following is displayed:

  • Name of the incident

  • Date the incident was reported

  • Short description of the incident

  • Application that is affected by the incident

  • Checkbox for assigning or closing the incident

When you select the checkbox, two options open at the bottom of the list:

  • Assign the issue to another platform user in your organization to review

  • Close the incident

You can sort the list of incidents by clicking and selecting one of the sort options: Newest (default), Oldest, Highest Severity, Lowest Severity, or Recently Updated.

Bulk Operations

You can assign or close multiple incidents at one time, either by selecting each incident, selecting grouped incidents, or selecting all the incidents at once.

To perform an action on multiple incidents:

  1. Select the incidents.

  2. Click the action to perform.

To perform an action on a group of incidents:

  1. In the Group By selection (above the incidents count), select a grouping (for example, App or Asset). Select the group of incidents.

  2. Click the action to perform.

To perform an action on all incidents:

  1. Select the box next to the total number of incidents.

  2. To select all the incidents, click Select all X items.

  3. Click the action to perform.

Filtering Incidents

With filters, you can narrow down the list in the Incidents page to focus on a specific set of incidents. The filters are shown just above the Single Incidents pane. You can use as many filters as needed by adding them one by one with the + button.

To use a filter:

  1. Click the + button.

  2. Select a field.

  3. Select the option in the field to filter.

  4. Select as many filters as you need.

To remove a filter from your selections, click the small x near the filter, or press the backspace key.

The displayed total number of incidents changes to show the number of incidents that match the filter. In some cases, the picklist includes the number of filtered incidents that exist.

Downloading Incidents

You can download incidents in a CSV file by clicking the download icon. If the list has more than 5,000 incidents, filter the incidents before downloading.

You can send a CSV file with all incident changes in the last 30 days to recipients on a weekly, monthly, or quarterly basis. For more information, see Configuring Recurring Reports.

The Incidents Pane

The Incidents pane displays the incident selected in the Incident list (the first incident is the default). Most of the information about an incident appears in the Overview pane. The Graph pane displays the environment in which the incident occurred.

Editable Properties

You can change the severity, status, and assignee values by clicking them and selecting something else from the pick list.

Closing and Reopening Incidents

To close an incident, click Close Incident button at the top of the Single Incident Page. Closed incidents are marked as irrelevant or fixed by the client. Afterwards, the button changes to Reopen Incident, and clicking it reopens the incident. These actions are listed in the timeline.

If you click a resource or identity anywhere on the Incidents page, its Single Entity Page opens.

Timeline

The timeline pane displays all the activities related to the incident in reverse chronological order since the day the incident was found.

Graph

The graph pane shows the identity responsible for the incident in the environment where it was found.

Background Information

An entity can be a cloud identity or asset.