Effective incident management requires a clear and structured interface that allows SOC teams to quickly identify, investigate, and remediate threats. The List View provides a consolidated overview of incidents and alerts, while the Incident Summary pane offers detailed information and actionable options for each incident. This document describes the fields, filters, and actions available to users for managing incidents efficiently.
List View
Scroll through the list to view previously generated alerts. Clicking on a host name opens the Device View for that alert.
Incident Fields
| Field | Description |
|---|---|
| INCIDENT ID | Displays the unique identifier of the incident. |
| INCIDENT NAME | Displays the name of the incident. You can copy the name using the copy icon. |
| TYPE | Displays the type of incident. |
| SEVERITY | Displays severity: Critical, High, Medium, Low. |
| PRIORITY | Displays priority: Critical, High, Medium, Low. |
| STATUS | Displays status: New, Investigation, Remediation, Closed. |
| NO. OF ALERTS | Displays the number of alerts associated with the incident. |
| CREATED ON | Displays the date and time when the incident was created. Sortable. |
| ASSIGNED TO | Displays the name of the assignee. |
Alert Fields
| Field | Description |
|---|---|
| ALERT NAME | Displays the name of the alert. |
| ALERT TYPE | Displays alert type: Custom, Associated Alerts, Unassociated Alerts. |
| SOURCE | Displays the source of the alert. |
| SEVERITY | Displays severity: High, Medium, Low, Base. |
| TACTICS | Displays tactics associated with the alert. |
| CREATED ON | Displays the date and time when the alert was created. Sortable. |
View Options
You can view incidents by time slots:
- Hour-wise: Last 1 hour, Last 24 hours
- Day-wise: Last 7 days, Last 15 days, Last 30 days
- Custom: Select From Date and To Date using the calendar control, then click Save
My Incidents
Click My Incidents to view only the incidents assigned to you (logged-in user).
Filter
Apply filters to narrow down search results. You can filter by:
- Severity
- Status
- Alert details (Process Name, Host Name, Assignee, Tactics)
View Details
Click View Details to navigate to the Alerts page.
Incident Summary
Clicking any row displays the incident summary in the right pane. Available actions include:
- View Audit Report – Access detailed audit reports.
- Add Notes – Add notes to the incident, visible in the Notes and Attachments section.
- Upload Documents – Upload supporting documents while updating incident status.
Basic Information
| Field | Description |
|---|---|
| Incident ID | Displays the incident ID. Copyable via icon. |
| Incident Name | Displays the incident name. Editable via icon. |
| Incident Type | Displays type: Unknown, Phishing, Malware, MITM, Insider Threat, Privilege Escalation, Web Application Attack, Anomaly Detection, APT. Editable via icon. |
| Created On | Displays the creation date and time. |
| Occurred On | Displays the endpoint where the incident occurred. |
| Last Updated On | Displays the last update timestamp. |
| Number of Alerts | Displays the number of alerts linked to the incident. |
| View Details | Redirects to the Alerts page. |
| Playbook | Displays the default playbook associated with the incident. |
| View Playbook Output | Opens the playbook output window. |
Response Summary
| Field | Description |
|---|---|
| Severity | Displays severity: High, Medium, Low, Base. |
| Priority | Displays priority: Critical, High, Medium, Low. Editable via icon. |
| Assigned To | Displays the assignee’s name. |
| Status | Displays status: New, Investigation, Remediation, Closed. Also shows response timeliness (On Time, Late, Closed). Editable via icon. Allows document uploads. Note: Max 5 files per incident, each ≤ 1 MB. Supported formats: .xlsx, .pdf, .docx, .jpeg, .jpg, .png. |
Description and Analysis
- Description – Editable incident description.
Notes and Attachments
- Notes – Displays notes with author and timestamp. Add notes via Add Note icon. Upload documents here as well.
Note: Max 5 files per incident, each ≤ 1 MB. Supported formats: .xlsx, .pdf, .docx, .jpeg, .jpg, .png.
Endpoints and Users
- Endpoints (#) – Displays endpoint hostnames. Playbooks can be run via vertical ellipses.
- Users (#) – Displays associated users. Playbooks can be run via vertical ellipses.
Key Attributes
- Process, Registry, File, Network – Each displays count, value, reputation, and associated alerts. Playbooks can be run via vertical ellipses.
Action Buttons
- Playbook Actions – Run playbooks.
- View Playbook Output – View playbook execution details.
Add Note
- Click the Add Note icon (top-right corner).
- Enter the note in the Note field.
- Click Save.
- A confirmation message appears.
Notes are visible in the Notes section of the Incident Summary.
Playbook Actions
- Playbook Actions – Opens a list of playbooks.
- View Playbook Output – Displays playbook results.
Running a Playbook
- Click Playbook Actions.
- Select a playbook and click the Run icon.
- Provide required information.
- Click Execute.
- The playbook executes and results appear.
Scheduling Incident Reports
Note: Only users with Super Admin, Admin, or SOC Manager privileges can schedule incident reports.
To schedule reports, follow the instructions here.