Skip to main content

Cyware Fusion and Threat Response

Configure Incident Settings

Incident configuration helps you define the permissions and criteria for updating incidents. The following are incident configurations:

  • Permissions and criteria to close incidents

  • Time limit to reopen incidents

  • Incident cost tracking options

  • Permission to merge incidents

  • Preference to pause SLA for paused incidents

Incident Closure

Configure the settings to close incidents based on:

  • Configure the user group permissions to close incidents based on the type and severity of the incidents. For example, you can allow only the Incident Response team to close High severity Hacking incidents.

  • The status of the associated actions and PIRs.

To configure the settings to close incidents, follow these steps:

  1. Go to Admin Panel > Configurations > Incident > Incident Closure.

  2. To configure the user groups who can close incidents based on the incident type and severity, click Configure the user groups who can close Incidents based on the severity and incident type and follow these steps:

    Note

    By default, any user group that has Create/Update permission to Incidents can close the incidents irrespective of the incident type and severity.

    1. Click New Mapping , and select a unique combination of Severity and Incident Type.

      Note

      The Incident Type and Severity field values are based on the options configured in the field settings in incident workflows. For more information, see Create Incident Workflow.

    2. Select the User Groups that can close the incidents.

    3. Click Save.

  3. Click Action and PIR Status and follow these steps:

    • In Action Status, select one of the following conditions to close an incident, and click Save:

      • No Condition: You can close an incident irrespective of the associated action status.

      • All Actions Closed: You must close all the associated actions to close an incident. By default, this option is selected.

      • All Actions Closed or Resolved: You must resolve or close all the associated actions to close an incident.

    • In PIR Status, select one of the following conditions to close incidents, and click Save:

      • No Condition: You can close an incident irrespective of the associated PIR status. By default, this option is selected.

      • All PIRs Closed: You must close all the associated PIRs to close an incident.

Incident Reopen

Configure the time limit within which users can reopen a closed incident. By default, the time limit to reopen an incident is two days. You can also choose to allow users to reopen closed incidents at any time.

To configure the time limit to reopen an incident, follow these steps:

  1. Go to Admin Panel > Configurations > Incidents > Incident Reopen.

  2. Click Incident Reopening Time Limit.

  3. Do one of the following:

    • Select Reopen Incidents within and enter the time limit within which users can reopen closed incidents. For example, 10 Days and 12 Hours.

      Note

      Reopening an incident does not modify the incident creation date. It is recommended to use a shorter incident reopen time limit for optimal dashboard visualizations, as some dashboard widgets may use the incident creation date.

    • Select Reopen Incidents anytime to allow users to reopen closed incidents anytime without any time limit.

  4. Click Save.

Cost Tracking

Configure the preference to calculate the cost associated with an incident based on the following criteria:

  • Incidents Phase: Cost is calculated based on the time spent by the assigned user on each phase of an incident.

  • Action: Cost is calculated based on the time spent by the assigned user on each associated action of an incident.

  • Both: Cost is calculated based on the cost incurred during each phase and associated action of an incident. By default, this option is selected.

The cost incurred due to an incident depends on:

  • Time spent by the assigned user on the incident.

  • Cost configuration that is defined in Admin Panel > Configurations > Basic Configuration. For more information, see Configure General Settings.

  • The cost of the assigned user group is defined in User Group Management. For more information, see Create User Group.

To configure the cost-tracking criteria for incidents, follow these steps:

Note

This is a one-time configuration and cannot be modified later.

  1. Go to Admin Panel > Configurations > Incident > Cost Tracking.

  2. Click Cost Tracking Calculation Criteria and select an option for incident cost calculation.

  3. Click Save.

Incident Merge

Configure the permissions to allow users to merge incidents that are associated with different Business Units (BUs), Locations, Sources, and Severity.

To configure the merge incidents permissions, follow these steps:

  1. Go to Admin Panel > Configurations > Incident > Incident Merge.

  2. Click Permissions to Merge Incidents and select the permissions to merge incidents from the list:

    • Allow incidents of different Business Units to be merged

    • Allow incidents of different Locations to be merged

    • Allow incidents of different Sources to be merged

    • Allow incidents of different Severity to be merged

  3. Click Save.

Incidents Paused

Configure whether you want to pause the resolution SLA when incidents are paused. Pausing the resolution SLA helps security analysts to wait for approvals or information from the stakeholders without breaching the SLA. The Pause SLA setting is disabled by default.

To enable the pausing of resolution SLA when incidents are paused, follow these steps:

  1. Go to Admin Panel > Configurations > Incident > Incident Paused.

  2. Turn on the Pause Resolution SLA when Incidents are paused? toggle.

  3. Click Save.

Resolution SLA field of paused incidents will be displayed as Paused.

External Incident Reporting

Configure External Incident Reporting to enable external applications to report incidents. After this is configured, users from other applications, such as Collaborate can create incidents in Respond.

Note

This feature is available in Respond v3.4.3.6 onwards.

Before You Start:

Ensure you have integrated Collaborate with Respond. For more information, see Integrate CSAP.

Steps:

To enable external incident reporting, follow these steps:

  1. Go to Admin Panel > Configurations > Incident > External Incident Reporting.

  2. Turn on the Incident Reporting toggle.

  3. In Notes Display Name, enter a display name for notes. This name will be displayed as a username in external applications when you send a note from Respond.

  4. Click Save.

Note

After you enable this, ensure you configure the External Incident Details form in Admin > Form Management > Incident Workflow. For more information, see Create Incident Workflow.