Incidents
The Incident management system includes multiple tools such as commenting, editing incident attributes, or assigning them to various users and changing their status to reflect current progress.
You can create new incidents in Computers, Detections, and Executables details.
Incidents inspected by ESET Services Representative (ESR) will have the new flag Investigated by ESET added after the name of the incident.
Filtering, Tags and Table options
Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear 
icon for table options to manage the main table.
Choose one of the options to create a new incident or add the detection to an existing incident.
•Create incident—This option redirects the user to the wizard window.
•Add to current incident—Add elements to the current incident.
•Add to incident—Depending on the order of the items, you can add an element to the last three incidents.
Incident severity
•Low severity—The severity of the incident is set as low.
•Medium severity—The severity of the incident is set as medium.
•High severity—The severity of the incident is set as high.
Incident statuses
•Open—The report is in an open state or was reopened by a security administrator or other user.
•In-progress—The report is in-progress currently being investigated.
•On Hold—The report is in status on hold, waiting for other inputs from the report analysis.
•Resolved (true positive)—The report is in state resolved and waiting for closure.
•Closed—The report is closed.
•Invalid (false positive)—The report is in an invalid state.
Select incident to open the information window consists of the following parts:
Shows detailed time-stamped information about incident changes. The right side shows info regarding the Status, Severity, Assigned user, number of Detections, Executables, Computers, Processes, and Tags, if present, added to the report. The right side of the screen provides additional information based on the selected object type. Use the button Details to get into the selected object's details page. •Incident—Comprehensive details of the incident. •Details—Comprehensive details of the computer. •Process Tree—The process tree related to the process. •Related objects—List of related objects to the incident. |
Displays interactive node graph visualization of selected incident with listed detections, computers, executables and a timeline describing the sequence of events. Right-click on any node in the graph to open a context menu containing a drop-down menu of actions related to the selected node. You can move and reposition any node of the graph to better suit your needs. Use the Graph menu for additional actions: •Fit— Center the graph to display all nodes on the screen. •Reset— Reset the position of all nodes to their initial state. •Redraw— Update the displayed information in the graph.
The right side of the screen provides additional information based on the selected element in the graph: •Incident— Comprehensive details of the incident •Timeline— Shows detailed time-stamped information about Incident changes. Highlights the node in the graph based on the selected event in the timeline. •Details— Comprehensive information about the selected element in the graph. •Process tree— Displays selected element's position from the graph in the process tree. •Related objects— List of related objects to the selected element in the graph. |
If the report contains any detections, the list of these detections is shown in this tab. It contains the same options to work with detections as the Detections tab, except a Remove button, that allows the user to remove selected detection from the report. |
If the report contains any computers, the list of these computers is shown in this tab. It contains the same options to work with computers, except a Remove button, that allows the user to remove selected computers from the report. |
If the report contains any executables, the list of these executables is shown in this tab. It contains the same options to work with executables, except a Remove button, that allows the user to remove selected executables from the report. |
If the report contains any processes, the list of these processes is shown in this tab. You can remove selected processes from the report. |
Click an incident name to take further actions:
•Details—Go to incident details tab.
•Make current incident—Use to indicate current incident. Highlights the incident in the blue color.
•Assign—To assign the report to a specific user to investigate it.
•Progress— Change the progress state of selected incident.
oStart progress—Use to change the report status to In progress state.
oOn hold—Use to change the report status to On hold state.
oResolve (true positive)—Use to change the report status to Resolved state.
oClose—Use to change the report status to Closed state.
oReopen—If you consider that the report needs reinvestigation.
oInvalid (false positive)—Use to change the report status to Invalid state.
oDelete incident—Deletes the incident.
•Access group—Displays currently assigned access group. Click Move to assign different access group.
•Tags—Assign tag(s) to an incident from the list of existing, or create new custom tag(s).
•Filter—Quick filters, depending on the column where you activated the context menu (Show only this, Hide this).