Incidents
The Incident management system has multiple tools, including commenting and editing incident attributes.
You can create new incidents in Computers, Detections, and Executables details.
Incidents inspected by an ESET Services Representative (ESR) will have the new flag Investigated by ESET added after the incident's name.
Filtering, Tags and Table options
Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear icon for table options to manage the main table.
Choose an option to create a new incident or add the detection to an existing incident.
•Create incident—Redirects the user to the wizard window.
•Add to current incident—Add elements to the current incident.
•Add to recent incident—Add elements to one of the last three incidents.
•Select incident to add to—Add elements to the selected incident.
Incident severity
•Low severity
•Medium severity
•High severity
Incident statuses
•Open—The report is open or reopened by a security administrator or other user.
•In-progress—The report is in progress and currently being investigated.
•On Hold—The report is on hold and waiting for inputs from the report analysis.
•Resolved—The report is resolved and waiting for closure.
•Closed—The report is closed.
•Invalid—The report is invalid.
Select an incident to open the information window, which consists of the following parts:
The timeline shows Incident change information. The upper part shows information regarding the Status, Severity, Assigned user, number of Detections, Executables, Computers, Processes and Tags, if present, added to the report. Anything related is displayed in the Details tab based on the selected object. Click Details to get to the object's Details page (based on type, computer, detection and process). •Incident—Comprehensive details about the incident. •Details—Comprehensive details about the object. •Process Tree—The process tree related to the process. •Related objects—List of related objects to the incident. |
ESET AI Advisor is an LLM tool that assists with incidents created by Incident Creator or provides detection details. It references the selected incident, its elements, and all objects managed by ESET Inspect Web Console.
Ask ESET AI Advisor for help with the selected incident. Here are some example questions: oSummarize the incident. oSummarize the incident with attack chain steps in bullet points. oProvide more information about (specific detection). oProvide details about (specific program) installation. oWhat techniques did the adversary use in this incident? oWhat techniques did the adversary use (for example, credential access/persistence)? oAdvice on resolving this incident.
|
If the report contains detections, they are shown here. You will find the same options to work with detections as the Detections tab, except for a Remove button, which allows users to remove selected detections from the report. |
If the report contains any computers, they are shown here. You will find the same options to work with detections as the Computers tab, except for a Remove button, which allows users to remove selected computers from the report. |
If the report contains executables, they are shown here. You will find the same options to work with executables as the Executables tab, except for a Remove button, which allows users to remove selected executables from the report. |
If the report contains any processes, they are shown in this tab. You can remove selected processes from the report. |
Click an incident name to take further actions:
•Details—Go to incident details tab.
•Make current incident—Indicate a current incident by highlighting it blue.
•Assign—Assign the report to a specific user for investigation.
•Progress—Change the progress state of selected incident.
oStart progress—Change the report status to “In progress”.
oOn hold—Change the report status to “On hold”.
oResolve—Change the report status to “Resolved”.
oClose—Change the report status to “Closed”.
oReopen—Reopen the report for reinvestigation.
oInvalid—Change the report status to “Invalid”.
oDelete incident—Delete the incident.
•Access group—Displays the currently assigned access group. Click Move to reassign access group.
•Tags—Assign tags to an incident from the existing list or create new custom tags.
•Filter—Show quick filters on the column where you activated the context menu (Show only this, Hide this).
•Threat indicators—Display threat indicators in the timeline if checked.
•Behaviours—Show threat behaviors in the timeline if checked.
•Analyst actions—List analyst actions in the timeline if checked.