Incidents list

The incidents list shows the registered incidents with their corresponding threat levels. You can see all reported incidents that have been determined to be critical, those that you should keep an eye on, or those that are considered to be nuisances in your network. Critical incidents must be handled without delay. These indicate hosts that have been infected with malicious software. Failing to deal with critical incidents is highly risky, and increases the probability that other hosts in your network may be compromised as well.

Incidents that you have not examined yet are marked as unread, while those that you have already examined are marked as read. You have the option of selecting incidents and to perform actions on them such as marking them as read or unread. You can also close or open selected incidents.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Use the Select pull-down menu for a fine-tuned selection. Its options allow you to select All visible incidents or to Clear selection. You can also select Read (current page) or Unread (current page) incidents. You can also click the checkbox icon in the title row to select all visible messages.

Use the Action pull-down menu to update the selected incidents: Mark as read, Mark as unread, Close, or Open.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row is a summary of an incident. Click the plus icon (or anywhere on an entry row) to access the incident details. To select a message row, click the checkbox icon.

The list is sorted by Impact and includes the following fields:

Host

The host affected by this incident. This column will display the IP address, host name, or label of the host, depending on the current Display settings pop-up.

Click the search icon to view the Activity for host page, showing details about the host. Click the Investigations pages icon icon to view the Network analysis graph for the host.

Click the sort icon to sort the list by host.

Sensor

The Sensor that detected the events making up this incident.

Click the sort icon to sort the list by sensor.

Detection events

Number of events that comprise this incident. This is a link displaying an event count and the details icon. Clicking this link loads the Network events page, filtered to show only events for this incident.

Click the sort icon to sort the list by events.

Start

Start time of incident.

Click the sort icon to sort the list by start time.

End

End time of incident.

Click the sort icon to sort the list by end time.

Threat

Name of the detected security risk.

Click the sort icon to sort the list by threat.

Threat class

Name of the detected security risk class.

Click the sort icon to sort the list by threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

The list is sorted in decreasing order of impact (most critical incidents at the top). Click the angle up icon to sort the list in increasing order (least incidents threats at the top), then click the angle down icon to toggle back to the default.