Cyware Fusion and Threat Response

An incident is an event of violation of an organization’s explicit or implicit security policies. Incidents include threat warnings and already executed attacks. Some examples of incidents are:

The following are the four status types available for incidents:

Untriaged incidents are those without sufficient information to initiate analysis or undergo the triage process. After an incident is triaged, you can assign statuses like Open, Closed, Merged, and more.

Some incidents may contain sensitive information that might need elevated access control. Such incidents can be marked as Protected. Only users belonging to groups with role-based access control permission can access Protected incidents.

While investigating an incident, you can pause the incident which also stops the time tracking and cost tracking of the incident. Time tracking and cost tracking continue when the incident is resumed.

When you pause an incident, the time tracking and cost tracking of the incident stops. You cannot perform the following activities on a paused incident:

Using the phase flow type, you can define if the incident workflow needs to be sequential or not. The phase flow type of an incident is defined in the Incident Workflow used by the incident. There are two types of phase flows:

The following users are referred to as the participants of an incident:

The participants of an incident can view the incident even if they do not have the data level permissions (allowed business units and allowed locations) for the incident. Only the assigned user and the members of the assigned user group, who have Create/Update permission for incidents, can update the incident.

To classify incidents, you can add labels to the incidents. It is recommended to add meaningful and relevant labels to the incidents. For example, P1 Incidents, L2 support. If the label you want to add is not available, contact your adminstrator.

No, an admin cannot configure the default mandatory fields, such as Title, Description, Business Units, and Locations, as optional.

Yes, multiple users can update incident details simultaneously, and the most recent update will be prioritized and applied to the incident. However, all other updates made simultaneously are available in the activity logs for your reference. For more information, see Manage Activity Logs.

Service Level Agreement (SLA) allows admins to define custom time limits for responding to incidents. SLAs are defined based on various parameters and conditions, such as incident types, severity, business unit, and location. The following are the two types of SLAs:

No, when an incident SLA is created, the SLA applies only to the incidents that are created after the SLA creation.

No, when an incident SLA is updated, the changes apply only to the incidents that are created after the SLA update.

When an incident SLA is activated or deactivated, the change is applied immediately to all the existing incidents.

By default, the incidents listing page displays the open incidents only. When you apply filters and go to another page, the incidents listing page refreshes to display the default filter.

To get contextual information about an incident, link the related incidents and other components using Connect the Dots. To view the linked components, on the incident details, go to Mission Control > Connect the Dots.

You can add a knowledge base article in the Knowledge Base tab of an incident and document the reusable information in the article.

You can add the following three types of attachments for an incident:

You can delete only untriaged incidents for which you have necessary access permissions. Untriaged incidents are those that haven't been analyzed or undergone the triage process. Incidents that are not untriaged or lack necessary access permissions are disabled and cannot be deleted.

The administrator must configure and enable the Google Maps integration to enable the Map view of incidents.

Based on your access level, you can view the incidents that are linked to your allowed business units on the incident listing page.

Time to resolution is the time taken to resolve an incident from an open state to a closed state. The following calculation is used to determine the TTD value:

TTR = Incident closed time - Incident opened time

If an incident is reopened, the following calculation is used to determine the TTR value:

TTR = Incident closed time - Incident opened time - Incident closed duration

Time to detection is the time taken to detect an incident as malicious. The following calculation is used to determine the TTD value:

TTD = Detection Time - Incident Time

Assignment SLA is the time limit from the incident opened time within which you must assign a user. This SLA refers to the triaging phase of an incident.

Resolution SLA is the timeframe within which an incident must be resolved after it has been assigned to a user. This SLA refers to the post-triaging phase of an incident.

Incident cost tracking is the total cost incurred by the organization due to the incident. You can configure Incident cost tracking in Admin > Configurations > Incident. The following calculation is used to determine incident cost tracking value:

Incident Cost Tracking = Miscellaneous Costs + Total cost incurred by analysts on the incident + Total actions cost

Miscellaneous costs are configured in incidents. In the new layout, miscellaneous costs are configured in Summary > Total Cost card> View Details.

In the old layout, miscellaneous costs are configured in Incidents > Miscellaneous > Cost Tracking.

Incident time tracking enables you to track the time spent by Respond users and user groups on incidents.

Action time tracking is the time taken to respond to an action for each user, phase, user group, and status.