Incident management is only present in commercial versions of RuSIEM.
Incident management in RuSIEM is built according to the ITIL standard. Incidents are generated automatically as a result of triggering correlation rules.
Work with incidents is carried out through a web interface.
The incident indicates all the necessary information.
Incident statuses are set by the user. The initial statuses during the formation of the incident are “Assigned”, “Reopened”.
Events from incidents are galvanically isolated, since the storage periods for incidents and events may vary. When an incident is formed, keys and field values are extracted from the events and metadata are generated from them. However, for any field you can go to the events of the incident.
In incidents, it is possible to assign tasks to other employees, to control their implementation.
Incident parameters, such as name, priority, who will be assigned an incident, are individual for each correlation rule. An incident can simultaneously be assigned to multiple users and groups.
Incidents have a "scope" - an incident is visible only to those users to whom it is assigned (or the user belongs to the groups to which the incident is assigned).
The user may be granted rights to the incident if the task within the incident is assigned to this user or the group he belongs to.
The scope also changes as the incident escalates. At the same time, if the incident is escalated to other users and groups, then previous performers stop seeing it.
While the incident is open, in work, assigned - new incidents are not created by the same rule of correlation and the object, preventing duplication, but are added to the existing incident.
If the incident is closed and repeated again - it is automatically opened and the status is “Reopened”.
When an incident occurs, the user is notified by a pop-up message in the upper right corner of the screen. Clicking on the notification in a new browser window opens the incident card. The number of pop-up notifications is limited to five simultaneous notifications.
From the incident, you can see the correlation rule by which it was formed.
A history of incident statuses is available for viewing from the incident. It indicates status changes, who changed and when.
You cannot delete an incident to hide it. It is possible only to close the incident and it will remain, it will be displayed in closed incidents with an indication of who, when and with what decision closed it.
For mass errors, there is still a button to delete all incidents (including open and closed for all users), accessible only to the system administrator.
There are massive operations for the legitimate closure of many of the selected incidents.