ESET Online Help

Search
Select the category
Select the topic

Incidents

The Incident management system has multiple tools, including commenting and editing incident attributes.

You can create new incidents in Computers, Detections, and Executables details.

Incidents inspected by an ESET Services Representative (ESR) will have the new flag Investigated by ESET added after the incident's name.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear gear_icon icon for table options to manage the main table.

Choose an option to create a new incident or add the detection to an existing incident.

Create incident—Redirects the user to the wizard window.

Add to current incident—Add elements to the current incident.

Add to recent incident—Add elements to one of the last three incidents.

Select incident to add to—Add elements to the selected incident.

incident_statuses

Incident severity

Low severity

Medium severity

High severity

Incident statuses

Open—The report is open or reopened by a security administrator or other user.

In-progress—The report is in progress and currently being investigated.

On Hold—The report is on hold and waiting for inputs from the report analysis.

Resolved—The report is resolved and waiting for closure.

Closed—The report is closed.

Invalid—The report is invalid.

Select an incident to open the information window, which consists of the following parts:

Timeline

ESET AI Advisor

Incident graph

Detections

If the report contains detections, they are shown here. You will find the same options to work with detections as the Detections tab, except for a Remove button, which allows users to remove selected detections from the report.

Computers

If the report contains any computers, they are shown here. You will find the same options to work with detections as the Computers tab, except for a Remove button, which allows users to remove selected computers from the report.

Executables

If the report contains executables, they are shown here. You will find the same options to work with executables as the Executables tab, except for a Remove button, which allows users to remove selected executables from the report.

Processes

If the report contains any processes, they are shown in this tab. You can remove selected processes from the report.

Click an incident name to take further actions:

Details—Go to incident details tab.

Make current incident—Indicate a current incident by highlighting it blue.

Assign—Assign the report to a specific user for investigation.

Progress—Change the progress state of selected incident.

oStart progress—Change the report status to “In progress”.

oOn hold—Change the report status to “On hold”.

oResolve—Change the report status to “Resolved”.

oClose—Change the report status to “Closed”.

oReopen—Reopen the report for reinvestigation.

oInvalid—Change the report status to “Invalid”.

oDelete incident—Delete the incident.

Access groupDisplays the currently assigned access group. Click Move to reassign access group.

Tags—Assign tags to an incident from the existing list or create new custom tags.

Filter—Show quick filters on the column where you activated the context menu (Show only this, Hide this).

 

Threat indicators—Display threat indicators in the timeline if checked.

Behaviours—Show threat behaviors in the timeline if checked.

Analyst actions—List analyst actions in the timeline if checked.