Summary
The Summary tab provides an overview of the incident's details in the form of cards. These cards include data for essential features of incident response which helps you analyze incident details in one place. In Summary, you can add notes, connect the dots, run playbooks, track the cost and time of the incident, and more.
Steps
To view the incident summary, follow these steps:
Go to Menu > Incidents.
Select an incident, and go to the Summary tab. You can view the following details:
Phase flow type: Hover over to view the incident phase flow type. There are two types of phase flows:
Linear Flow: In this flow, you must complete the phases in the sequence configured by your administrator.
Non Linear Flow: In this flow, you have the flexibility to move to any phase.
Current Phase: View the current phase of the incident.
Total Time Spent: View the total time spent on the incident response, from the opening to the closing of the incident.
Phase Timeline: View phase-wise progress of the incident response and the time spent on each phase. A green check mark on a phase indicates that the phase is completed. A blinker on a phase indicates the current phase of the incident. You can turn on the View Logs toggle to view the activity logs.
The Summary tab includes the following cards:
Card Name | Description |
---|---|
Incident Details | View the incident ID and other details that were filled in while creating the incident. You can also directly update incident details in this card. To view all the details, hover over the Incident Details card, and click View Details. For more information, see Create Incident. |
Notify Business Units | View the status of the incident notifications sent to the impacted business units. You can send primary and follow-up notifications to the impacted business units. NoteThis card is visible only if Incident Notifications is enabled in the Admin panel. For more information, see Notify Business Units. |
Connect the Dots | View the number of components and threat intel connected to the incident using the visualizer. To connect components and threat intel to the incident, hover over the Connect the Dots card and click Add. AI suggestions are only available for components. For more information, see Connect the Dots. |
Playbooks | View the number of Orchestrate playbooks that are triggered, failed, or require user input. To view the run logs for failed playbooks, click Failed. To view and run other related playbooks, hover over the Playbooks card, and click View all Playbooks . For more information, see Actions and Playbooks. |
Actions | View the actions assigned to you and your user group. To add actions, hover over the card and click Add. To view all actions and their associated phases in the incident, click View Details. For more information, see Actions and Playbooks. |
Knowledge Base | View the number of Knowledge Base articles added to the incident. To add a Knowledge Base article, hover over the card and click Add. To view the list of Knowledge Base articles and their details, click View Details. For more information, Create Knowledge Base. |
Attachments | View the number of attachments associated with the incident and their attachment type. To add an attachment, hover over the card and click Add. To view the list and details of attachments added to the incident, click View Details. For more information, see Add Attachments. |
Merged Incidents | View the number of incidents merged with the incident. To merge the incident, hover over the card, and click Add. To view the details of the merged incidents, click View Details. For more information, see Merge Incidents. |
Notes | View the number of notes associated with the incident. You can preview and edit notes from the card. To add a note, hover over the card and click Add. To view the list and details of the notes added to the incident, click View Details. For more information, see Create Notes. |
Enhancements | View the number of enhancements associated with the incident and their priority level. To create an enhancement, hover over the card, and click Add. To view the list and details of enhancements added to the incident, click View Details. For more information, see Create Enhancements. |
Time Tracking | View the total time spent on the incident. This card also provides specifics on time spent on the incident and associated actions separately. To view details of the time tracking, hover over the Time Tracking card and click View Details. You can select an incident or an action for tracking from the dropdown and filter them by User, Action, Status, and Group. Click Show Detailed View, to view all the details of the time tracking. NoteStarting from Respond v3.4.2 the time tracking stops when the incident is paused or closed. If the incident is reopened the time tracking will resume. |
Total Cost | View the total cost incurred by your organization due to the incident. The card also displays the cost incurred during the incident phases, the cost of resolving the actions, and other costs that are indirectly related to the incident. To add a new cost, hover over the card, and click Add. Click View Details to view details on the total cost of the incident. NoteThe Total Cost card is visible only if you have View or Create/Update permissions for Cost Tracking. For more information, see Configure Incident Settings. |
PIRs | View the number of Priority Intel Requirements (PIRs) created in the incident. To add PIRs, hover over the card, and click Add. To view the list and details of the PIRs added to the incident, click View Details. For more information, see Create PIRs. |
Notify Business Units
When an incident is created, you can send email notifications to the impacted business units. If you do not receive a response from the business units, you can send follow-up notifications.
Note
The email address configured in the Mailbox settings is automatically included in the Cc field when you send incident notifications to business units.
Notification Types
Primary Notification: You can send an initial notification regarding the incident impacting the business unit. Use primary notification to request acknowledgment from the business unit to respond to the incident effectively.
Follow Up: In cases where no response is received following the primary notification, you have the option to send up to three follow-up notifications. These follow-up notifications can be sent at designated intervals specified by the administrator.
The timelines for the incident notifications are set by the administrator based on the incident's severity level, incident type, locations, and impacted business units. For more information, Configure Incident Notification Process.
Before you Start
The email server must be configured by your administrator to send the email notifications. For more information, see Configure Email Server.
Steps
To notify the impacted business units about an incident, follow these steps:
Go to Menu > Incidents, and select an incident.
In the Summary tab, go to the Notify Business Units card. Hover over Primary Notification and click Send Notification. You can send the primary notification only when it is due.
Add the following recipients to send the email notification:
Customer Email IDs: Enter the email IDs of the recipients of the business unit. By default, notifications can be sent to the business unit's recipients if they have already been configured by the administrator. For more information, see Manage Business Units.
Internal Users: Select the application users from the list of active users added by the administrator in User Management.
Click Submit.
An email notification is sent to the recipients using the email template configured by your administrator for the impacted business units. If no template is configured, the default template is used.
Note
The primary and follow-up notifications are sent using the templates configured by your administrator in Admin > Email Customization > Incident Notification. For more information, see Configure Email Template.
Send follow-up notifications
Once the primary email notification is sent, the 1st follow-up timer begins. You should expect a response from the impacted business unit before the 1st follow-up is due. If no response is received, you can send a follow-up notification. You can send up to three follow-up notifications.
If you receive a response, click Response Received to stop the incident follow-up notification process for the incident. After the notification process is stopped, you can no longer send email notifications to the impacted business unit.
Add Attachments
During the incident response, you can upload attachments related to the incident. You can add files in any format. Following are the types upload attachments of one of the following types:
Artifacts: These include supporting data that serves as a reference throughout incident investigations. During the investigation, if you find any artifacts to be evidence of the threat, you can mark the artifact as evidence and move it to the Evidence attachment type. For example, IOCs, screenshots, logs, and more.
Evidence: These include supporting data that serve as evidence of the threat. If you find any evidence to be an artifact, you can mark an evidence file as an artifact and move it to the Artifacts attachment type.
Others: These include other supporting data that is related to an incident but does not serve as an artifact or evidence.
Steps
To add an attachment to an incident, follow these steps:
Go to Menu > Incidents and open an incident.
Go to the Attachments card, hover over the card, and click Add.
Select the appropriate attachment type.
Drag and drop the file in the attachment area or click Upload to add an attachment.
Note
You can upload up to 10 files simultaneously, with a maximum size of 100 MB each.
Manage Attachments
After adding attachments, click View Details to perform the following activities to manage attachments:
Preview the attached images. The supported formats are JPG/JPEG, and PNG
Download attachments
Add notes in an attachment
Delete attachments
Note
You cannot delete attachments that are marked as evidence.
Mark artifacts as evidence and vice versa
Create Knowledge Base
The articles in the Knowledge Base describe how to detect, analyze, and resolve commonly encountered security issues. You can create and manage documentation relevant to your organizational security incident response process in the Knowledge Base. You can create a knowledge base specific to the incident.
Steps
To create a knowledge base in an incident, follow these steps:
Note
The fields for creating knowledge base articles differ based on the form configured by the administrator in Admin > Form Management > Enhancement.
Go to Menu > Incidents, and select an incident.
Go to the Knowledge Base card, hover over the card, and click Add.
Click Create New. Add the following details to create a knowledge base article:
Title: Enter a title for the knowledge base article.
(Optional) Description: Enter a description of the knowledge base article.
Type: Select the type of the knowledge base. Some of the knowledge base article types are Framework, Guideline, Playbook, Policy, Report, SOP, and Workflow.
Locations : Select the locations for the knowledge base article.
TLP : Select the TLP of the knowledge base article.
Business Units: Select the business units to allow specific users to access the knowledge base article. Only Respond users from the selected business units can access the knowledge base article.
Click Create.
Merge Incidents
When one or more incidents have similar details and require the same response, you can merge such incidents as child incidents to the existing incident (parent incident). After merging, the child incidents do not require individual responses and will automatically close when the parent incident is closed. If you need clarification on the required incident response, you can link the child incident with the parent incident as Related Incidents in Connect the Dots > Components . You can merge them once you are certain that the incident response is the same.
Note
After incidents are merged, you cannot unmerge them. Merged incidents cannot be modified and can only be opened in read-only mode.
Filter Merged Incidents by Resolution Status
You can filter incidents based on the resolution status. This facilitates the tracking of merged incidents that are automatically closed when the parent incident is closed. For example, if you want the list of incidents that were merged and closed, use the filter Resolution Status and select Merged and Closed. Additionally, the table view and export file of incidents include a new column that displays the resolution status.
Before you Start
You have Create/Update permission for Merge Incidents.
Steps
To merge incidents, follow these steps:
Go to Menu > Incidents, and select the incident (parent) to which you want to merge other incidents as child incidents.
In the Summary tab, go to Merged Incidents, hover over the card, and click Add.
By default, the current incident is selected as the Parent Incident and cannot be modified. In Child Incidents, search and select the incidents to be merged from the incident list.
Click Proceed.
Review the selected child incidents and do one of the following:
To merge incidents using a template configured by your administrator, click Merge with Template, select a template, and then click Merge. If you merge incidents with a template, data from the child incidents will be added to the parent incident. For more information, see Configure Templates for Incidents.
Note
You cannot merge incidents for which you do not have the required permissions.
To merge incidents without a template, click Merge. If you merge incidents without a template, data from the child incidents will not be added to the parent incident
To proceed with the merge, type Merge Incidents on the confirmation message, and click Merge.
You can track the status of the merged incidents in the Background Process in the top app bar. After incidents are merged, you will receive an email with the merged details. The status of the child incidents changes to Merged and they appear in the Merged Incidents card of the parent incident.
Create Notes
Use Notes to document key information and observations related to the incident for reference. Anyone who has access to the incident can view and add notes. You can also tag various users in the notes using the @ symbol followed by the username.
Steps
To add a note, follow these steps:
Go to Menu > Incidents, and select an incident
In the Summary tab, go to the Notes card.
Hover over the card, and click Add.
Add a note and click Send.
Manage Notes
To pin the note, hover over the note, and click Pin. To view all the pinned notes, click Pinned in the top left.
You can edit and delete notes if required.
You can search for a note or apply filters such as Group, Type, and User to sort the notes.
Create Enhancements
Enhancements refer to the improvements in the security framework of an organization such as changes in the security strategy and policy, implementation of new security guidelines, and more. During incident analysis, if you identify a gap in the security framework, you can create an enhancement and include relevant details.
Before you Start
Ensure that you have Create/Update permission for Enhancements.
Steps
To create an enhancement, follow these steps:
Go to Menu > Incidents, and select an incident.
In the Summary tab, go to the Enhancements card.
Hover over the card, and click Add.
Enter the following details to create an enhancement:
Note
The fields for creating enhancements differ based on the form configured by the administrator in Admin > Form Management > Enhancement.
Title: Enter a title for the enhancement.
(Optional) Description: Enter a description that best describes the details of the enhancement.
Assigned Group: Select a user group to assign to the enhancement. Only users from the assigned user group can be assigned to the enhancement.
(Optional) Enhancement Type: Select the enhancement type. Some examples of the Enhancement types are New Guidelines, Policy Change, Process Update, and Strategy Change.
Priority: Select a priority of the enhancement. This helps in grouping the enhancements based on their priorities. Some examples of the priority types are Very Low, Low, Medium, High, and Very High.
(Optional) Due Date: Enter a due date for completing the enhancement.
(Optional) Labels: To categorize the enhancement, select the appropriate labels from the Labels dropdown.
Click Submit.
An enhancement is created with Open status and a unique ID is assigned, for example, #ENH123.
Create PIRs
Priority Intel Requirements (PIRs) are the requests raised by security analysts for the security team members, such as incident managers or Chief Information Security Officers (CISO), to provide security information. Security analysts can also raise PIRs to request approvals to perform a security-related operation.
Steps
To create a PIR, follow these steps:
Go to Menu > Incidents, and select an incident.
In the Summary tab, go to the PIRs.
Hover over the card, and click Add. Enter the details of the PIR:
Title: Enter a title for the PIR.
(Optional) Description: Enter a description that best describes the details of the PIR.
Priority: Select a priority for the PIR. This helps in grouping PIRs according to their priorities. Some examples of the priority types are Very Low, Low, Medium, High, and Very High.
Assigned Group: Select a user group to assign the PIR. Only the users from the selected user group can be assigned to the PIR.
(Optional) Due Date: Enter a due date for the completion of the PIR.
(Optional) Labels: To categorize the PIR, select appropriate labels from the dropdown.
Click Submit.
Custom displays the tabs that are configured by the administrator. For more information, see Add New Tab in Forms.
To view the list of PIRs and their details, click View Details. You can perform the following operations to manage PIRs:
Search PIRs and filter PIRs based on the Assigned Group, Created by, Labels, and more.
Reorder the PIRs based on the ascending or descending order of the PIR titles.
Sort the PIRs based on the criteria such as Relevance Last Updated, and Date Created.
Starting from Respond v3.4.3, you can close multiple PIRs by selecting the PIRs and clicking Close. In the confirmation pop-up, click Close.