Incidents
The Incident management system has multiple tools, including commenting and editing incident attributes.
You can create new incidents in Computers, Detections, and Executables details.
Incidents inspected by an ESET Services Representative (ESR) will have the new flag Investigated by ESET added after the incident's name.
Filtering, Tags and Table options
Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear 
icon for table options to manage the main table.
Choose an option to create a new incident or add the detection to an existing incident.
•Create incident—Redirects the user to the wizard window.
•Add to current incident—Add elements to the current incident.
•Add to recent incident—Add elements to one of the last three incidents.
•Select incident to add to—Add elements to the selected incident.
Incident severity
•Low severity
•Medium severity
•High severity
Incident statuses
•Open—The report is open or reopened by a security administrator or other user.
•In-progress—The report is in progress and currently being investigated.
•On Hold—The report is on hold and waiting for inputs from the report analysis.
•Resolved—The report is resolved and waiting for closure.
•Closed—The report is closed.
•Invalid—The report is invalid.
Select an incident to open the information window, which consists of the following parts:
The timeline shows Incident change information. The upper part shows information regarding the Status, Severity, Assigned user, number of Detections, Executables, Computers, Processes and Tags, if present, added to the report. Anything related is displayed in the Details tab based on the selected object. Click Details to get to the object's Details page (based on type, computer, detection and process). •Incident—Comprehensive details about the incident. •Details—Comprehensive details about the object. •Process Tree—The process tree related to the process. •Related objects—List of related objects to the incident. |
Displays an interactive node graph visualization of selected incidents, including detections, computers, executables, and a timeline of events. Right-click any node to open a context menu with actions for that node. Nodes can be moved and repositioned. Use the Graph menu for additional actions: •Fit—Center the graph to display all nodes. •Reset—Return all nodes to their initial positions. •Redraw—Refresh the graph information. The screen's right side displays additional information for the selected graph element: •Incident—Comprehensive details about the incident. •Timeline—Shows time-stamped details of incident changes, highlighting the graph node for the selected timeline event. •Details—Comprehensive information about the selected element in the graph. •Process tree—Displays selected element's position from the graph in the process tree. •Related objects—List of related objects to the selected element in the graph. |
If the report contains detections, they are shown here. You will find the same options to work with detections as the Detections tab, except for a Remove button, which allows users to remove selected detections from the report. |
If the report contains any computers, they are shown here. You will find the same options to work with detections as the Computers tab, except for a Remove button, which allows users to remove selected computers from the report. |
If the report contains executables, they are shown here. You will find the same options to work with executables as the Executables tab, except for a Remove button, which allows users to remove selected executables from the report. |
If the report contains any processes, they are shown in this tab. You can remove selected processes from the report. |
Click an incident name to take further actions:
•Details—Go to incident details tab.
•Make current incident—Indicate a current incident by highlighting it blue.
•Assign—Assign the report to a specific user for investigation.
•Progress—Change the progress state of selected incident.
oStart progress—Change the report status to “In progress”.
oOn hold—Change the report status to “On hold”.
oResolve—Change the report status to “Resolved”.
oClose—Change the report status to “Closed”.
oReopen—Reopen the report for reinvestigation.
oInvalid—Change the report status to “Invalid”.
oDelete incident—Delete the incident.
•Access group—Displays the currently assigned access group. Click Move to reassign access group.
•Tags—Assign tags to an incident from the existing list or create new custom tags.
•Filter—Show quick filters on the column where you activated the context menu (Show only this, Hide this).
•Threat indicators—Display threat indicators in the timeline if checked.
•Behaviours—Show threat behaviors in the timeline if checked.
•Analyst actions—List analyst actions in the timeline if checked.