Describes the fields in the table view.
The following table describes the fields in the Incidents page table view.
Field | Description |
---|---|
Alert Categories | Alert categories that were triggered by the incident's alerts |
Alerts Grouping Status | Whether Alert Grouping is currently enabled |
Alerts Breakdown | Total number of alerts, broken down by severity |
Assignee Email | Email address of the incident assignee |
Assigned To | Incident assignee |
Creation Time | Date and time that the incident was created |
Critical/High/Medium/Low Severity Alerts | Number of critical, high, medium, or low severity alerts included in the incident |
Hosts | Hosts affected by the incident |
Incident Description | Description generated from the alert name of the first alert that was added to the incident, the host and user affected, or number of users and hosts affected |
Incident ID | ID assigned to the incident |
Incident Name | User-defined incident name |
Incident Sources | List of sources that raised high and medium severity alerts in the incident |
Last Updated | Last time that a user took an action on the incident, or an alert was added to the incident |
MITRE ATT&CK Tactic | Types of MITRE ATT&CK tactics that were triggered by the alerts in the incident |
MITRE ATT&CK Technique | Types of MITRE ATT&CK techniques and sub-techniques that were triggered by the alerts in the incident |
Resolve Comment | User-added comment when setting the incident status to Resolved |
Resolved Timestamp | Date and time that the incident status was set to Resolved |
Severity | Highest severity of the alerts in the incident, or the user-defined severity |
Starred | Whether the incident is starred. Incidents are automatically starred if they include alerts that match your incident prioritization policy. |
Status | When incidents are generated they have the status set to New. To begin investigating an incident, set the status to Under Investigation. When the incident is resolved, set the status to Resolved and select a resolution reason. For a description of each resolution reason, see Resolution reasons for incidents and alerts. |
Tags | Tag family and the corresponding tags. If SBAC is enabled, you can view and manage the incident according your scope settings. NoteWhen you view incidents as a scoped user and the tenant is set to permissive mode, you can view the incident but you do not have access to entities outside of your scope. When you view incidents as a scoped user and the tenant is set to restrictive mode, the incident content is not visible. You can send the incident ID to your administrator and request an updated user scope that enables you to view the incident. |
Total Alerts | Total number of alerts in the incident |
Users | Users affected by the alerts in the incident |
WildFire Hits | Number of Malware, Phishing, and Grayware artifacts that are part of the incident |