Incidents

Incidents allow us to correlate detections into incidents, improving threat investigations. Incidents are created automatically from detections, which significantly reduces alert triage time.

The Incidents section lists incidents automatically created from Detections based on pre-defined rules.

Filtering the view

There are different ways to filter your view:

•Click the Tags selector (arrow icon) and choose a tag(s) to activate the filter on the listed incidents. Results are highlighted in blue and show incidents with the selected tags.

•Click an Incident severity— High, Medium or Low. You can combine these icons by turning them on or off.

•Incident status— Open, In progress or Closed

•Click Add Filter and select incident types from the drop-down menu.

oAssignee—type the assingee name.

oAuthor—select from the drop-down menu: ESET, ESET Service or the username.

oCreation time—select from the drop-down menu: < 24h, ≥ 24h ago, ≥ 3 days ago, ≥ 7 days ago, ≥ 14 days ago, ≥ A month ago, ≥ 3 months ago or ≥ 6 months ago.

oLast update—select from the drop-down menu: < 24h, ≥ 24h ago, ≥ 3 days ago, ≥ 7 days ago, ≥ 14 days ago, ≥ A month ago, ≥ 3 months ago or ≥ 6 months ago.

oName—type the incident name.

oNumber of computers—type the number of selected computers.

oNumber of detections—type the number of selected detections.

Filters and layout customization

You can customize the current Web Console screen view:

•Manage the side panel and main table.

•Add filters and filter presets. You can use tags for filtering the displayed items.

Incident details

Select any incident(s), click the Actions button and click the three dots button to:

•View Details—to display an overview of the incident.

Overview—provides the following information:

oQuick details—incident details are displayed in the main section.

oCompany impact—the number of affected Computers, Executables and Processes. Click the number to go to the related specific page.

oComments—you can Add comment for the incident. Click View all comments to display all created comments. You can Edit comment, Pin comment or Delete comment.

oDescription—incident explanation.

oMITTRE ATT&CK® techniques—available MITTRE ATT&CK techniques for the selected incident.

oRecommended steps—steps to initiate the incident response process.

Detections—list of detections. You can click the three dots icon to View Details.

Affected Computers—list of affected computers.

Incident Timeline—timeline with a brief history of incidents, from the triggering event until closing the incident.

In every section, you can click:

•the Inspect button to redirect into ESET Inspect and investigate the incident in the incident graph.

•the refresh button to refresh the page.

Click the Respond to incident button to select the affected objects and define their response actions. Select a response action (Isolate, Log out user, Reboot, Scan & Clean) and click Confirm.

oComputers > Continue > select the response action (Isolate, Log out user, Reboot, Scan & Clean) > Confirm.

oProcesses > Continue > select the response action (Kill Process) > Confirm.

oExecutables > Continue > select the response action (Block, Block & Clean) > Confirm.

•Change Status & Assignee—click to select from the drop-down menu.

oStatus—select the incident's current status from the drop-down menu: Open, In progress or Closed. When you select Closed, additionally select the reason for closing the incident (True positive, Suspicious, False positive or invalid) and optionally write a comment.

oAssignee—when you selected Open or In progress status, select the available user from the drop-down menu.

Click Save.

•Tags—click to select tags from the drop-down menu and click Apply. Or you can type a new keyword and press Enter to create a new tag.

˄˅