Skip to main content

Cyware Fusion and Threat Response

Incidents

An incident is an event of violation of an organization’s explicit or implicit security policies. Incidents include threat warnings and already executed attacks. Some examples of incidents are:

  • Unauthorized access to systems or data.

  • Unauthorized changes to systems or programs.

  • Denial of service attack.

  • Unexpected failure of networking systems and applications.

The following are the four status types available for incidents:

  • Open: Incidents that are ready to be investigated.

  • Closed: Incidents that have been investigated and closed.

  • Untriaged: Incidents that do not have sufficient information to start an investigation.

  • Merged: Incidents that are merged to a parent incident with similar details.

Untriaged incidents are those without sufficient information to initiate analysis or undergo the triage process. After an incident is triaged, you can assign statuses like Open, Closed, Merged, and more.

Some incidents may contain sensitive information that might need elevated access control. Such incidents can be marked as Protected. Only users belonging to groups with role-based access control permission can access Protected incidents.

While investigating an incident, you can pause the incident which also stops the time tracking and cost tracking of the incident. Time tracking and cost tracking continue when the incident is resumed.

Note

Only the assigned user with Pause Incident permission can pause or resume an incident.

When you pause an incident, the time tracking and cost tracking of the incident stops. You cannot perform the following activities on a paused incident:

  • Update the assigned user and assigned user group

  • Mark the incident as protected

  • Change the incident phase

  • Update the incident status

Note

If you update the field details of a phase in a paused incident, the incident resumes automatically.

Using the phase flow type, you can define if the incident workflow needs to be sequential or not. The phase flow type of an incident is defined in the Incident Workflow used by the incident. There are two types of phase flows:

  • Linear Incident Workflow: In this flow, users must complete the phases in the sequence configured by your administrator.

  • Non-linear Incident Workflow: The flow of phases is non-sequential and users have the flexibility to move to any phase.

The following users are referred to as the participants of an incident:

  • The user who created the incident

  • The user to whom the incident is assigned

  • The members of the assigned user group

  • The users who are tagged in the notes

The participants of an incident can view the incident even if they do not have the data level permissions (allowed business units and allowed locations) for the incident. Only the assigned user and the members of the assigned user group, who have Create/Update permission for incidents, can update the incident.

To classify incidents, you can add labels to the incidents. It is recommended to add meaningful and relevant labels to the incidents. For example, P1 Incidents, L2 support. If the label you want to add is not available, contact your adminstrator.

No, an admin cannot configure the default mandatory fields, such as Title, Description, Business Units, and Locations, as optional.

Yes, multiple users can update incident details simultaneously, and the most recent update will be prioritized and applied to the incident. However, all other updates made simultaneously are available in the activity logs for your reference. For more information, see Manage Activity Logs.

Service Level Agreement (SLA) allows admins to define custom time limits for responding to incidents. SLAs are defined based on various parameters and conditions, such as incident types, severity, business unit, and location. The following are the two types of SLAs:

  • Assignment SLA: Refers to the triaging phase of an incident. It is the time between incident creation and incident assignment.

  • Resolution SLA: Refers to the incident investigation phase. It is the time between user assignment and incident closure.

No, when an incident SLA is created, the SLA applies only to the incidents that are created after the SLA creation.

No, when an incident SLA is updated, the changes apply only to the incidents that are created after the SLA update.

When an incident SLA is activated or deactivated, the change is applied immediately to all the existing incidents.

By default, the incidents listing page displays the open incidents only. When you apply filters and go to another page, the incidents listing page refreshes to display the default filter.

To get contextual information about an incident, link the related incidents and other components using Connect the Dots. To view the linked components, on the incident details, go to Mission Control > Connect the Dots.

You can add a knowledge base article in the Knowledge Base tab of an incident and document the reusable information in the article.

You can add the following three types of attachments for an incident:

  • Artifacts: These include supporting data that serves as a reference throughout incident investigations. During the investigation, if you find any artifacts to be evidence of the threat, you can mark the artifact as evidence and move it to the Evidence attachment type. For example, IOCs, screenshots, logs, and more.

  • Evidence: These include supporting data that serve as evidence of the threat. If you find any evidence to be an artifact, you can mark an evidence file as an artifact and move it to the Artifacts attachment type.

  • Miscellaneous: These include other supporting data that is related to an incident but does not serve as an artifact or evidence.

You can delete only untriaged incidents for which you have necessary access permissions. Untriaged incidents are those that haven't been analyzed or undergone the triage process. Incidents that are not untriaged or lack necessary access permissions are disabled and cannot be deleted.

The administrator must configure and enable the Google Maps integration to enable the Map view of incidents.

Based on your access level, you can view the incidents that are linked to your allowed business units on the incident listing page.

Time to resolution is the time taken to resolve an incident from an open state to a closed state. The following calculation is used to determine the TTD value:

TTR = Incident closed time - Incident opened time

If an incident is reopened, the following calculation is used to determine the TTR value:

TTR = Incident closed time - Incident opened time - Incident closed duration

Time to detection is the time taken to detect an incident as malicious. The following calculation is used to determine the TTD value:

TTD = Detection Time - Incident Time

Note

Detection Time and Incident Time values are retrieved from the Incident Details.

Assignment SLA is the time limit from the incident opened time within which you must assign a user. This SLA refers to the triaging phase of an incident.

  • If a user is assigned, the following calculation is used to determine the Assignment SLA value:

    Assignment SLA = Time of first user assignment - Incident opened time

  • If a user is not assigned, the following calculation is used to determine the Assignment SLA value:

    Assignment SLA = Current time - Incident opened time

Resolution SLA is the timeframe within which an incident must be resolved after it has been assigned to a user. This SLA refers to the post-triaging phase of an incident.

  • If the incident is closed, the following calculation is used to determine the Resolution SLA value:

    Resolution SLA = Incident closed time - Incident opened time

    • If the incident is reopened, then the resolution SLA is calculated using the following logic:

      Resolution SLA = Incident closed time - Incident opened time - Incident paused duration

  • If the incident is merged, the following calculation is used to determine the Resolution SLA value:

    Resolution SLA = Incident merged time  - Incident opened time - Incident closed duration - Incident paused duration.

  • If the incident is in the open state, the following calculation is used to determine the Resolution SLA value:

    Resolution SLA = Current time - Incident opened time

    If the incident is reopened, the following calculation is used to determine the Resolution SLA value:

    Resolution SLA = Current time - Incident opened time - Incident closed duration

    Note

    The incident open time doesn't include the untriaged state.

Incident cost tracking is the total cost incurred by the organization due to the incident. You can configure Incident cost tracking in Admin > Configurations > Incident. The following calculation is used to determine incident cost tracking value:

Incident Cost Tracking = Miscellaneous Costs + Total cost incurred by analysts on the incident + Total actions cost

Miscellaneous costs are configured in incidents. In the new layout, miscellaneous costs are configured in Summary > Total Cost card> View Details.

In the old layout, miscellaneous costs are configured in Incidents > Miscellaneous > Cost Tracking.

Incident time tracking enables you to track the time spent by Respond users and user groups on incidents.

  • If the incident is closed, the following calculation is used to determine the incident time tracking value:

    Incident Time Tracking = Incident closed time - Incident created time - Incident paused duration

  • If the incident is paused, the following calculation is used to determine the incident time tracking value:

    Incident Time Tracking = Incident paused time - incident created time - Paused duration

    Note

    Incident paused time is the time when the incident was paused. Paused duration is the total time the incident spent in the paused state.

  • If the incident is not in a closed or paused state, the following calculation is used to determine the incident time tracking value:

    Incident Time Tracking = Incident created time - Incident paused duration - Incident closed duration

Action time tracking is the time taken to respond to an action for each user, phase, user group, and status.

  • If the action is marked as closed, the following calculation is used to determine the action time tracking value:

    Action Time Tracking = Action closed time - Action created time

  • If the action is marked as resolved, the following calculation is used to determine the action time tracking value:

    Action Time Tracking = Action resolved time - Action created time

  • If the action is not closed or resolved, the following calculation is used to determine the action time tracking value:

    Action Time Tracking = Current time - Action created time