Configure Incident Settings
Incident configuration helps you define the permissions and criteria to update incidents. The incident configuration includes:
Permissions and criteria to close incidents
Time limit to reopen incidents
Incident cost tracking options
Permission to merge incidents
Preference to pause SLA for paused incidents
Incidents Closure
Configure the settings to close incidents based on:
The user groups who have permission to close incidents based on the type and severity of the incidents. For example, you can allow only the Incident Response team to close High severity Hacking incidents.
The status of the associated actions and PIRs.
To configure the settings to close incidents, do the following:
Go to Admin Panel > Configurations > Incidents > Incident Closure.
To configure the user groups who can close incidents based on the incident type and severity, click Configure the user groups who can close Incidents based on the severity and incident type and do the following:
Note
By default, any user group that has Create/Update permission to Incidents can close the incidents irrespective of the incident type and severity.
Click New Mapping and select a unique combination of Severity and Incident Type.
Note
The Incident Type and Severity field values are based on the options configured in the field settings in incident workflows. For more information, see Create Incident Workflow.
Select the user groups that can close the incidents.
Click Save.
Click Action and PIR Status and do the following:
In Action Status, select one of the following conditions to close an incident, and click Save:
No Condition: You can close an incident irrespective of the associated action status.
All Actions Closed: You must close all the associated actions to close an incident. By default, this option is selected.
All Actions Resolved or Closed: You must resolve or close all the associated actions to close an incident.
In PIR Status, select one of the following conditions to close incidents, and click Save:
No Condition: You can close an incident irrespective of the associated PIR status. By default, this option is selected.
All PIRs Closed: You must close all the associated PIRs to close an incident.
Incidents Reopen
Configure the time limit within which users can reopen a closed incident. The default time limit to reopen an incident is two days. You can also choose to allow users to reopen closed incidents anytime.
To configure the time limit to reopen an incident, do the following:
Go to Admin Panel > Configurations > Incidents > Incidents Reopen.
Do one of the following:
Select Reopen incidents within and enter the time limit to reopen closed incidents. For example, 10 Days and 12 Hours.
Note
Reopening an incident does not modify the incident creation date. Cyware recommends using a lower incident reopen time limit for optimal dashboard visualizations since some dashboard widgets may use the incident creation date.
Select Reopen incidents anytime to allow users to reopen closed incidents anytime without any time limit.
Click Save.
Cost Tracking
Configure the preference to calculate the cost associated with an incident based on the following criteria:
Incidents Phase: Cost is calculated based on the time spent by the assigned user on each phase of an incident.
Action: Cost is calculated based on the time spent by the assigned user on each associated action of an incident.
Both: Cost is calculated based on the cost incurred on each phase and associated action of an incident. This option is selected by default.
The cost incurred due to an incident depends on:
Time spent by the assigned user on an incident.
Cost configuration that is defined in Admin Panel > Configurations > Basic Configuration. For more information, see Configure General Settings.
Cost rate of the assigned user group that is defined in User Group Management. For more information, see Create User Group.
To configure the cost-tracking criteria for incidents, do the following:
Note
This is a one-time configuration and cannot be modified later.
Go to Admin Panel > Configurations > Incidents > Cost Tracking.
Click Cost Tracking Calculation Criteria and select an option for incident cost calculation.
Click Save.
Incidents Merge
Configure the permissions to allow merging incidents that are associated with different Business Units (BUs), locations, sources, and severity.
To configure the incidents merge permissions, do the following:
Go to Admin Panel > Configurations > Incidents > Incidents Merge.
Click Permissions to Merge Incidents and select the permissions to merge incidents:
Allow incidents of different Business Units to be merged
Allow incidents of different Locations to be merged
Allow incidents of different Sources to be merged
Allow incidents of different Severity to be merged
Click Save.
Incidents Paused
Configure whether you want to pause the resolution SLA when incidents are paused. Pausing the resolution SLA helps security analysts to wait for the stakeholders to provide approvals or information without breaching the SLA.
The Pause SLA setting is disabled by default. To enable the pausing of resolution SLA when incidents are paused, do the following:
Go to Admin Panel > Configurations > Incident.
Select Incident Paused and enable the Pause Resolution SLA when Incidents are paused? toggle.
Click Save.
Resolution SLA field of paused incidents now shows Paused.