You can review the events detected on your assets and group related changes into incidents to determine if they are valid, mark them approved or unapproved, and classify them by the type of change. This is especially useful for auditing purposes. You can Create an Incident from the Events and Incident tab.
Note: You also have the option to create incidents based on certain criteria defined in a correlation rule. See Configure Correlation Rules to Auto Create Incidents.
A Service Level Agreement (SLA) is a formal communication agreement established to keep you informed about incidents requiring your review. Enabling SLA lets you receive reminder emails till you review the incident. You can enable SLA for default incidents and automated incidents. You can define the SLA duration in days(minimum 1 day), weeks, or months (maximum 6 months).
Go to Events > Event Review to see the events that are waiting to be reviewed.
Enter your search query or use filters on the left side to find events that are part of the same incident. For example, find events based on tags, user, process, and profile.
Then click Create Incident. All events matching your query will be included in the incident.
The Create Incident option is enabled only after you enter a valid QQL query in the search bar.
Note: We support only 100k events in an incident. When you create your incident, choose your filters or search query to return less than or equal to 100K events. The events that exceed this limit will be excluded from the incident and the report created for the incident.
Give the incident a name, and provide the reviewer's details.
You can add the email ID of the reviewer. You can add a maximum of 10 reviewers.
Note: Only the reviewers for whom you enter an email ID will receive notifications. You must enter valid email IDs of the reviewers to ensure they receive the notification emails.
You can enable the Service Level Agreement (SLA). Once you enable SLA, provide SLA duration and select the time frame from the respective drop-down list.
Note: You cannot edit the SLA once it is enabled.
Click Create.
Your new incident will be saved on the Incidents list where you can view and add details.
Choose View Details from the Quick Actions menu to see the list of events included in an incident and get a break-down of the events by severity, action and user.
Choose Edit from the Quick Actions menu for any Open incident to rename it or change the events associated with it by modifying the query or time frame. If an event no longer matches the query it will be removed from the incident and appear back on the Events list so it can be reviewed again.
Note: After creating an incident manually, Events are marked to the incident after 24 hours.
For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:
Disposition = Malware
Change Type = Compromise
Approval Status = Policy Violation
Start Review option will be available for such Incidents Immediately.
To create a manual incident, click Incidents > All Incidents > Create Incident.
On the Create Incident page, add the following details:
- Incident Name: The name of the Incident.
- Reviewers: Enter names or email IDs of the reviewers. The logged in user's name is listed by default as the reviewer. You can enter up to 10 reviewers. When an incident is generated using the query you have entered, it gets assigned to the users that you enter in the Reviewers text box.
The users who you set as reviewers receive a notification every time an incident is generated by the rule.
Note: Only the reviewers for whom you enter an email ID will receive notifications. You must enter valid email IDs of the reviewers to ensure they receive the notification emails.
You can enable the Service Legal Agreement(SLA). Once you enable SLA, provide SLA duration and select the time-frame from the respective drop-down list.
- Query: Enter your QQL search query to find events. You can also select the required QQL query from the Saved Searches or Queries option.
- Start Date and Start Time, End Date, and End Time: The duration for which you want to capture the events based on the QQL query.
Note: The end date and time should always be before or equal to the date and time you are creating the incident.
Note: In the Query field, to add a folder path for file.fullPath and actor.imagePath QQL, user should avoid using “ \” at the end of the path as it results in invalid QQL while searching.
Click Preview to see the total number of events that are generated based on your query and click Close to close the window.
Note: You can create an incident only if there are events matching to your QQL query.
On the Create Incident page, click Create. The new incident is listed on the Incidents tab for a manual review.
After creating an incident manually, events are marked to the incident after 24 hours.
Note: For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:
Disposition = Malware
Change Type = Compromise
Approval Status = Policy Violation
Start review option will be available immediately.
You can choose to view and review your incidents by clicking 'My Incidents'. With My Incidents, you can apply a filter to view the incidents that are assigned to you, and created by you.
On selecting Assigned To Me, you see all the incidents assigned to you and the incidents with reviewer SYSTEM.
In addition, with All Incidents, you can view a list of all incidents that are created by you or the sub-users under you.
Note: You can edit the incident only if you are the creator of the incident. Similarly, you can review the incidents only when you are on the list of reviewers for the incident.
Go to All Incidents and then select Start Review from the Quick Actions menu for any incident that is Open.
You'll see the list of events associated with the incident, and you can drill into the details for any event.
Want to change the query that resulted in this list of events? Go back and Edit the incident.
Click Next below the list to complete your review.
Provide a comment, mark the incident as Approved or Unapproved, pick the appropriate disposition category for reporting and classification, and choose whether the incident resulted from a manual or automated change. Click Finish. The incident status will be updated to Closed.
It's easy. Just click the Download icon above the list and choose a download format.
Select an incident and click Generate Report from the Quick Actions menu. Select PDF/HTML/CSV format and click Download.
Note: Report generates after a job is completed which takes five minutes of time. Therefore once an incident occurs, it is suggested to wait for five minutes before generating a report
The report is created for the incident and listed in the Reports tab. You can download a report only if the status of the report is completed.
When you submit a request for generating a report, FIM assigns the following status to the report which you can see in the Report tab during different stages of its processing:
- Accepted: The request for generating the report is accepted.
- Processing: The report generation is in progress.
- Completed: The report is generated and is available for download.
- Failed: Report generation process failed due to some reason.
Note: If the report is in "Failed" state or if the report is stuck in a particular state (except Completed state ) for a long time, you can run the report again using the "Run Again" options from the Quick Actions menu.
Click the Run Again option under the Quick Actions menu to generate a new report with the same name but updated data, date, and time.
The Run Again option is not available if the incident for which the report is generated is deleted.
Note: You cannot rerun reports that have special characters in their name.
You have an option to reopen a closed incident to modify the incident’s review information. When you reopen an incident, all the review information in the incident such as disposition, change type, approval and other information is set to blank. You can then review the reopened incident, provide review comments and mark it Closed.
To reopen an incident, click Reopen from the Quick Actions menu.
Enter the comments and click Yes.
