Track Your Incidents

You'll want to review the events detected on your assets and group related changes into incidents. Review your incidents to determine if they're valid, mark them approved or unapproved and classify them by the type of change. This is especially useful for auditing purposes. You can Create Incident from Events and Incident tab.

Note: You also have an option to create incidents based on certain criteria defined in a correlation rule. See Configure Correlation Rules to Auto Create Incidents.

Create Incidents from Events tab

Go to Events > Event Review to see the events that are waiting to be reviewed.

Enter your search query or use filters on the left side to find events that are part of the same incident. For example, find events based on tags, user, process and profile.

Then click Create Incident. All events matching your query will be included in the incident.

Note: The Create Incident option is enabled only after you enter a valid QQL query in the search bar.

Note: We support  only 10,000 events in an incident. When you create your incident, choose your filters or search query to return less than or equal to 10,000 events. The events that exceed this limit will be excluded from the incident and the report created for the incident.

Give the incident a name, and click Create.

Your new incident will be saved on the Incidents list where you can view and add details.

Choose View Details from the Quick Actions menu to see the list of events included in an incident and get a break-down of the events by severity, action and user.

Choose Edit from the Quick Actions menu for any Open incident to rename it or change the events associated with it by modifying the query or timeframe. If an event no longer matches the query it will be removed from the incident and appear back on the Events list so it can be reviewed again.

Note: After creating an incident manually, Events are marked to the incident after 24 hours.

Note: For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:

Disposition = Malware

Change Type = Compromise

Approval Status = Policy Violation

Start Review option will be available for such Incidents Immediately.

Create Incident from Incident tab

To create manual Incident, click Incidents > All Incidents > Create Incident.

Create Incidents

Provide the required details.

Note: In Query field, to add a folder path for file.fullPath and actor.imagePath QQL, user should avoid using “ \” at the end of the path as it results in invalid QQL while searching.

Create Incidents

On the Create Incident page, add the following details:

-- Incident Name: The name of the Incident.

-- Query: Enter your QQL search query to find events. You can also select the required QQL query from the Saved Searches or Queries option.

-- Enter Start Date and Start Time and End Date and End Time: The duration for which you want to capture the events based on the QQL query.

Note: The End Date and Time should always be before or equal to the date and time you are creating the incident.

Click on the Preview option to see the total number of events that are generated based on your query. Click Close after you have reviewed the details.

Note: You can create an incident only if there are events matching to your QQL query.  

Create Incidents

Click Create. The new incident is listed on the Incidents tab for a manual review.

Note: After creating an incident manually, Events are marked to the incident after 24 hours.

Note: For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:

Disposition = Malware

Change Type = Compromise

Approval Status = Policy Violation

Start review option will be available immediately.

Start Incident Review and Take Action

Go to the Incidents list. Choose Start Review from the Quick Actions menu for any incident that is Open.

Start Incident Review

You'll see the list of events associated with the incident, and you can drill into the details for any event.

Want to change the query that resulted in this list of events? Go back and Edit the incident.

Click Next below the list to complete your review.

Provide a comment, mark the incident Approved or Unapproved, pick the appropriate disposition category for reporting and classification, and choose whether the incident resulted from a manual or automated change. Click Finish. The incident status will be updated to Closed.

Download Your Incidents

It's easy. Just click the Download icon above the list and choose a download format.

Download Incidents

Generate Reports for Incidents

Select an incident and click Generate Report from the Quick Actions menu. Select PDF/HTML format and click Download.

Generate Report

The report is created for the incident and placed in the Reports tab. Go to the Reports tab and download the report. You can download report only if the status of the report is completed.

Download option in the Quick Actions menu.

Report Status

When you submit a request for generating a report, FIM assigns the following status to the report which you can see in the Report tab during different stages of its processing:

- Accepted: The request for generating the report is accepted.

- Processing: The report generation is in progress.

- Completed: The report is generated and is available for download.

- Failed: Report generation process failed due to some reason.

Note: If the report is in "Failed" state or if the report is stuck in a particular state (except Completed state ) for a long time, you can run the report again using the "Run Again" options from the Quick Actions menu.

Run Again Report

Click the Run Again option under the Quick Actions menu to generate a new report with the same name but updated data, date, and time.

The Run Again option is not available if the incident for which the report is generated is deleted.

Note: You cannot rerun reports that have special characters in their name.

Run Again

Reopen Closed Incidents

You have an option to reopen a closed incident to modify the incident’s review information. When you reopen an incident, all the review information in the incident such as disposition, change type, approval and other information is set to blank. You can then review the reopened incident, provide review comments and mark it Closed.

To reopen an incident, click Reopen from the Quick Actions menu.

Enter the comments and click Yes.

 Reopen Incident