Contents
Managing incident types
Kaspersky Next XDR Expert allows you to manage incidents and customize the incident handling process by using incident types.
An incident type is a set of attributes, for which you can configure different processes, for example, assign a workflow to the incident type, configure a trigger, or configure a playbook algorithm.
You can create an incident type or use predefined incident types that you can customize.
Incident types can be active or inactive. If the incident type is active, you can select this type in the incident details window.
The incident type marked as a default type is assigned to all new incidents automatically. You cannot switch a default incident type to inactive.
The Common incident type is set as default. You can edit this setting.
You can create only one default incident type in a tenant.
Page topViewing the incident types table
To view the incident types table:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management.
The Types tab is displayed with the incident types table.
- If you want to configure the incident types table, do any of the following:
- Click the filter icon (
), and then specify and apply the filter criterion in the invoked menu.
- To hide or display a column, click the settings icon (
), and then select the necessary column.
- Click the filter icon (
The incident types table contains the following information:
- Name. Name of the custom or predefined incident type.
The table contains the following predefined incident types:
- Common
By default, this type has the Yes value in the Default column.
- Information gathering
- Compromise
- Unauthorized access
- Malware attack
- Phishing
- Availability
- Insider threat
- Data breaches
- Configuration error
- Supply chain attack
- Web application attack
- Vulnerability exploitation
- Common
- Active type. If the incident type is active, you will be able to select this type in the incident details window.
- Default. When you create an incident, the default type is automatically assigned to it. Possible values:
- True
- False
- Workflow. Incident workflow.
- Tenant. Name of the tenant to which the incident type belongs.
- Creation type. Way the incident type was created. Possible values:
- Custom
- Predefined
- ID. Unique identifier of the custom or predefined incident type. By default, this column is hidden.
- Description. Incident type description. By default, this column is hidden.
If necessary, you can create new incident types, as well as edit and delete predefined and custom incident types.
Page topCreating incident types
To create an incident type:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management, and then select the Types tab.
- Click the Create button.
The Create incident type window opens.
- If you want the new incident type to be active, switch on the Active type toggle button.
- In the Name field, enter the name of the new incident type.
- If you want all new incidents to be assigned this type by default, select the Set as default check box.
There can be only one default incident in a tenant. It means that if the tenant already has a default incident type, this type will no longer be default after you select this check box.
- In the Workflow field, select the incident workflow.
- If necessary, in the Description field, enter an incident type description or a comment.
- Click the Create button.
The new incident type is displayed in the incident types table.
Page topEditing incident types
If necessary, you can edit incident types.
To edit an incident type:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management.
The Types tab is displayed with the incident types table.
- Click the name of the incident type that you want to edit.
The Edit incident type window opens.
- Make your edits, and then click Save. For more details on the incident types properties that you can edit, refer to Creating incident types.
The incident type properties are edited and saved.
Page topDeleting incident types
If you want to delete an incident type that is used in a playbook, you have to delete this incident type from the playbook trigger and/or algorithm to avoid errors.
You cannot delete an incident type in the following cases:
- An incident type is set as default in the tenant where this incident type was created.
When trying to delete this incident type, you are prompted to set a new default incident type. In the window that opens, you have to select the incident type from the list.
- An incident type is set as default in a child tenant.
- The current tenant or a child tenant contains an incident with the type that you want to delete.
Before deleting such a type, you have to assign another type to the incident.
To delete the incident type:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On Settings, click Incident management.
The Types tab is displayed with the incident types table.
- Do one of the following:
- Select the incident type that you want to delete, and then click Delete.
- Click the name of the incident type that you want to delete, and then in the Edit incident type window, click Delete.
- In the confirmation dialog box, click Delete.
The incident type is deleted.
Page top