ESET Online Help

Search
Select the category
Select the topic

Incidents

Incidents are aggregated collections of related security events and detections that highlight potential threats or suspicious activities within a network. They provide a comprehensive view of security issues by grouping together relevant data, allowing administrators to analyze, prioritize, and respond effectively to potential cybersecurity incidents.

The Incident management system has multiple tools, including commenting and editing incident attributes.

You can create new incidents manually in Computers, Detections, and Executables details or automatically by rules.

Incidents inspected by an ESET Services Representative (ESR) will have the new flag Investigated by ESET added after the incident's name.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear gear_icon icon for table options to manage the main table.

Choose an option to create a new incident or add the detection to an existing incident.

Create incident—Redirects the user to the wizard window.

Add to current incident—Add elements to the current incident.

Add to recent incident—Add elements to one of the last three incidents.

Select incident to add to—Add elements to the selected incident.

incident_statuses

Incident severity

Low severity

Medium severity

High severity

Incident statuses

Open—The incident is open or reopened by a security administrator or other user.

In-progress—The incident is in progress and currently being investigated.

Closed—The incident is closed.

 

 

Right-click an incident name to take further actions:

Details—Go to incident details tab.

Make current incident—Indicate a current incident by highlighting it blue.

Change status & assignee—Update the assignee and status of selected incident. Status Closed offers several resolutions for closing the incident displayed in the Status reason column.

Delete incident—Delete the incident.

Access groupDisplays the currently assigned access group. Click Move to reassign access group.

Tags—Assign tags to an incident from the existing list or create new custom tags.

 

Incident details

Select an incident to open the information window, which consists of the following parts:

Timeline

The timeline shows Incident change information. The upper part shows information regarding the Status, Severity, Assigned user, number of Detections, Executables, Computers, Processes and Tags, if present, added to the incident. Anything related is displayed in the Details tab based on the selected object. Click Details to get to the object's Details page (based on type, computer, detection and process).

Incident—Comprehensive details about the incident.

Details—Comprehensive details about the object.

Process Tree—The process tree related to the process.

Related objects—List of related objects to the incident,such as Computers and Executables. Click Add next to object to display it in the incident graph.

ESET AI Advisor

ESET AI Advisor is an LLM tool that assists with incidents created by Incident Creator or provides detection details. It references the selected incident, its elements, and all objects managed by ESET Inspect Web Console.

note

ESET AI Advisor is available only in the cloud version of ESET Inspect and only with the ESET MDR Ultimate protection tier.

Ask ESET AI Advisor for help with the selected incident. Here are some example questions:

oSummarize the incident.

oSummarize the incident with attack chain steps in bullet points.

oProvide more information about (specific detection).

oProvide details about (specific program) installation.

oWhat techniques did the adversary use in this incident?

oWhat techniques did the adversary use (for example, credential access/persistence)?

oAdvice on resolving this incident.

important

Conversation with the ESET AI Advisor is currently limited by the number of questions per day for all user accounts of one ESET Inspect Web Console. An error message will notify you when the limit is reached. The limit resets daily at midnight UTC.

note

Remember, ESET AI Advisor is mainly for helping with incidents inside ESET Inspect.

While it supports your ESET Inspect Web Console language, we recommend using English for the best results.

Incident graph

The incident graph displays an interactive node graph visualization of selected incidents, including detections, computers, executables, and a timeline of events.

Detections

If the incident contains detections, they are shown here. You will find the same options to work with detections as the Detections tab, except for a Remove button, which allows users to remove selected detections from the incident.

Computers

If the incident contains any computers, they are shown here. You will find the same options to work with detections as the Computers tab, except for a Remove button, which allows users to remove selected computers from the incident.

Executables

If the incident contains executables, they are shown here. You will find the same options to work with executables as the Executables tab, except for a Remove button, which allows users to remove selected executables from the incident.

Processes

If the incident contains any processes, they are shown in this tab. You can remove selected processes from the incident.

Action buttons

You can manage the incident details with the buttons in the lower part of the screen.

Incidents

Make current incident—Indicate a current incident by highlighting it blue.

Change status & assignee—Update the assignee and status of selected incident. Status Closed offers several resolutions for closing the incident displayed in the Status reason column.

Delete incident—Delete the incident.

Access groupDisplays the currently assigned access group. Click Move to reassign access group.

Tags—Assign tags to an incident from the existing list or create new custom tags

Remediation

Prevent spread:

oBlock executables—Prevent executables from running by blocking them based on the SHA-1 hash. The blocked executables will appear in the Blocked Hashes section.

oClean & block executables—Move the executables to quarantine and adds them to Blocked Hashes to prevent future occurrences.

oIsolate computers from network—Block all network communication on the computers, except between ESET security products.

Protect devices:

oKill processes on this computer—Kill the running processes that triggered the detection.

oScan computers for malware—Run On-demand computer scan.

oShut down computers—Shut the computers down.

Comment

Add a comment to an incident.

Edit

Name—Edit the name of the incident.

Description—Edit the description of the incident.

Severity—Edit the severity of the incident.

Assignee—Edit the assignee of the incident.

Tags—Assign tags from the existing list or create custom tags.

Comments—Modify the existing comments or add new comment.

Graph

Fit—Center the graph to display all nodes.

Reset—Return all nodes to their initial positions.

Redraw—Refresh the graph information.