You can review the events detected on your assets and group related changes into incidents to determine if they are valid, mark them approved or unapproved and classify them by the type of change. This is especially useful for auditing purposes. You can Create Incident from Events and Incident tab.

Note: You also have an option to create incidents based on certain criteria defined in a correlation rule. See Configure Correlation Rules to Auto Create Incidents.

Creating incidents from the Events tab

Go to Events > Event Review to see the events that are waiting to be reviewed.

Enter your search query or use filters on the left side to find events that are part of the same incident. For example, find events based on tags, user, process and profile.

Then click Create Incident. All events matching your query will be included in the incident.

The Create Incident option is enabled only after you enter a valid QQL query in the search bar.

Note: We support  only 10,000 events in an incident. When you create your incident, choose your filters or search query to return less than or equal to 10,000 events. The events that exceed this limit will be excluded from the incident and the report created for the incident.

Give the incident a name, provide reviewer's detail.

You can add email ID of the reviewer. You can add maximum of 10 reviewers.

Click Create.

Your new incident will be saved on the Incidents list where you can view and add details.

Choose View Details from the Quick Actions menu to see the list of events included in an incident and get a break-down of the events by severity, action and user.

Choose Edit from the Quick Actions menu for any Open incident to rename it or change the events associated with it by modifying the query or timeframe. If an event no longer matches the query it will be removed from the incident and appear back on the Events list so it can be reviewed again.

Note: After creating an incident manually, Events are marked to the incident after 24 hours.

For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:

Disposition = Malware

Change Type = Compromise

Approval Status = Policy Violation

Start Review option will be available for such Incidents Immediately.

Creating incidents from the Incidents tab

To create a manual incident, click Incidents > All Incidents > Create Incident.

Create Incidents

On the Create Incident page, add the following details:

- Incident Name: The name of the Incident.

- Reviewers: Enter names or email IDs of the reviewers. The logged in user's name is listed by default as the reviewer. You can enter up to 10 reviewers. When an incident is generated using the query you have entered, it gets assigned to the users that you enter in the Reviewers text box.

The users who you set as reviewers receive a notification every time an incident is generated by the rule.

Note: Only the reviewers for whom you enter an email ID will receive notifications. You must enter valid email IDs of the reviewers to ensure they receive the notification mails.

- Query: Enter your QQL search query to find events. You can also select the required QQL query from the Saved Searches or Queries option.

- Start Date and Start Time, End Date, and End Time: The duration for which you want to capture the events based on the QQL query.

Note: The end date and time should always be before or equal to the date and time you are creating the incident.

Note: In the Query field, to add a folder path for file.fullPath and actor.imagePath QQL, user should avoid using “ \” at the end of the path as it results in invalid QQL while searching.

Create Incidents

Click Preview to see the total number of events that are generated based on your query and click Close to close the window.

Note: You can create an incident only if there are events matching to your QQL query.  

Create Incidents

On the Create Incident page, click Create. The new incident is listed on the Incidents tab for a manual review.

After creating an incident manually, events are marked to the incident after 24 hours.

Note: For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:

Disposition = Malware

Change Type = Compromise

Approval Status = Policy Violation

Start review option will be available immediately.

Reviewing incidents

Go to All Incidents and then select Start Review from the Quick Actions menu for any incident that is Open.

Start Incident Review

You'll see the list of events associated with the incident, and you can drill into the details for any event.

Want to change the query that resulted in this list of events? Go back and Edit the incident.

Click Next below the list to complete your review.

Provide a comment, mark the incident Approved or Unapproved, pick the appropriate disposition category for reporting and classification, and choose whether the incident resulted from a manual or automated change. Click Finish. The incident status will be updated to Closed.

Downloading incidents

It's easy. Just click the Download icon above the list and choose a download format.

Download Incidents

Generating incident reports

Select an incident and click Generate Report from the Quick Actions menu. Select PDF/HTML format and click Download.

Generate Report

The report is created for the incident and listed in the Reports tab. You can download a report only if the status of the report is completed.

Download option in the Quick Actions menu.

Viewing a report status

When you submit a request for generating a report, FIM assigns the following status to the report which you can see in the Report tab during different stages of its processing:

- Accepted: The request for generating the report is accepted.

- Processing: The report generation is in progress.

- Completed: The report is generated and is available for download.

- Failed: Report generation process failed due to some reason.

Note: If the report is in "Failed" state or if the report is stuck in a particular state (except Completed state ) for a long time, you can run the report again using the "Run Again" options from the Quick Actions menu.

Re-running a report

Click the Run Again option under the Quick Actions menu to generate a new report with the same name but updated data, date, and time.

The Run Again option is not available if the incident for which the report is generated is deleted.

Note: You cannot rerun reports that have special characters in their name.

Run Again

Reopening closed incidents

You have an option to reopen a closed incident to modify the incident’s review information. When you reopen an incident, all the review information in the incident such as disposition, change type, approval and other information is set to blank. You can then review the reopened incident, provide review comments and mark it Closed.

To reopen an incident, click Reopen from the Quick Actions menu.

Enter the comments and click Yes.

 Reopen Incident

Related Topics

Qualys Query Library


Event Insights

Configuration of correlation rules to auto create incidents