Viewing and Searching Incidents
The Incident Dashboard displays incident information for your IT infrastructure based on the filter conditions you set. You can also view incidents grouped by incident attributes, use values in incident attributes to refine your searches, view information about rules that triggered incidents, and use incident information to create rule exceptions and event dropping rules.
List View of Incidents
Searching for Incidents by Incident Attributes
Using Group By Attributes to View Incidents
Device Risk View of Incidents
Calendar View of Incidents
Fishbone View of Incidents
List View of Incidents
There are two ways you can view the incidents that are occurring in your IT infrastructure.
The Incidents tab, shown in the screenshot for this topic, where you can view incidents and incident details
Dashboard > Incident Dashboard, which includes the same incident summary and user interface controls found in the Incidents tab, but which also provides other views of incidents, including a fishbone view of incidents in your infrastructure, a topology view with the number and severity of incidents overlaid on devices, a calendar view, and a location view that includes both a summary view of incident source and target IP locations and a map view, along with the number and severity of incidents for that location overlaid on the map.
In both locations you can filter the incidents in the dashboard, find out more information about sources and targets of incidents, customize the dashboard layout, and manage the rules associated with incidents.
Incident Attributes
Incident Dashboard User Interface Controls
Incident Dashboard Filter Controls
Incident Management Controls
Contextual Menus
Incident Details
Incident Details
Triggered Events
Related Incidents
Incident Attributes
An Incident has the following attributes.
Attribute Name | Description |
Event Severity Category | The severity of the incident, High, Medium, or Low |
Last Seen Time | The last time that the incident was triggered |
First Seen Time | The first time that the incident was triggered |
Incident Name | The name of the rule that triggered the incident |
Incident ID | The unique ID assigned to the incident |
Incident Source | The source IP or host name that triggered the incident |
Incident Target | The IP or host name where the incident occurred |
Incident Detail | Event attributes that triggered the incident |
Status | The status of the incident, Active, Cleared, Cleared Manually, System Cleared |
Cleared Reason | For manually cleared incidents, this displays the reason the incident was cleared |
Cleared Time | The time an incident was cleared |
Cleared User | The person who cleared the incident |
Comments | Any comments that users have entered for the incident |
Ticket Status | Status of any tickets associated with the incident |
Ticket ID | The ID number of any tickets generated by the incident |
Ticket User | The person assigned to any tickets generated by the event |
External User | If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to |
External Cleared Time | If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared |
External Resolved Time | If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved |
External Ticket ID | The ID of the incident in an external ticket-handling system |
External Ticket State | The state of the incident ticket in an external ticket-handling system |
External Ticket Type | The type assigned to the incident ticket in an external ticket-handling system |
Organization | The organization reporting the event |
Impacts | Organizations impacted by the event |
Business Service | Business services impacted by the incident |
Incident Notification
Status |
Status of any notifications that were sent because of the incident |
Notification Recipients | Who received notification of the incident |
Incident Count | How many times the incident has occurred during the selected time interval |
Incident Dashboard User Interface Controls
This screenshot shows the Incidents tab with the major user interface controls outlined in red.
Incident Dashboard Filter Controls
The filter controls let you control which incidents are shown in the dashboard.
Filter
Control |
Description |
Filter
Criteria |
You have three options for the filter conditions:
ID Search for an incident by ID IP Search for an incident based on an IP address Advanced Use this option to set filter conditions based on event attributes as described in Creating a Structured Real Time Search. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in search filters. |
Group By | Use these options to group incidents in the dashboards based on incident attributes. See Using Group By Attributes to View Incidents for more information. |
Severity | Use these options to only see incidents with the selected severity level |
Function | Use these options to view incidents related to a specific infrastructure functional area, such as Performance or Security. |
Incident
Status |
Filter incidents to view according to their status |
Ticket
Status |
Filter incidents based on the status of their associated tickets. See Creating Tickets In FortiSIEM In-built Ticketing System for more information. |
Time
Selection |
Select the time interval during which incidents should have occurred. The default is Last 2 Hours. |
Organization | For multi-tenant deployments, select the organization you want to view incidents for. |
Impacts | For multi-tenant deployments, select an organization to view the incidents that are impacting it |
Incident Management Controls
Filter
Control |
Description |
Refresh | Refresh the dashboard view |
Edit Rule | Edit the rule associated with the incident. See the topics under Rules for more information. |
Exception | Create an exception to the rule associated with the incident. See Defining Rule Exceptions for more information. |
Ticket | Create a ticket from the incident. See Creating Tickets In FortiSIEM In-built Ticketing System for more information. |
History | View the ticket history associated with an incident. |
Clear | Clear the incident. See Defining Clear Conditions for more information on how to set rule conditions that will automatically clear incidents. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared. A status of Manual Clear means that a user cleared the incident from the Incident Dashboard, while Clear means it was cleared by a rule condition. |
Comments | Add comments to the incident |
Columns | Change the columns displayed in the summary table. Incident Columns describes all the columns that can be added to the Incident Dashboard. |
Export | Export the incident information to a PDF or CSV file |
Locations | View geolocation information about the incidents. Pin colors on the map indicate incident severity:
Red: HIGH Severity Yellow: MEDIUM Severity Green: LOW Severity Black: Incidents with multiple severity levels at the same location |
Contextual Menus
Clicking on an item within a column of the incident summary will open a contextual menu, with options depending on whether the incident attribute you selected includes an IP address (Source IP or Target IP, for example), or some other kind of incident attribute. Shared between both menus are an Add to Filter option, which enables you to select a result attribute and add it to the Filter By conditions. Both menus also include most of the same options available in the Incident Management controls to edit and add exceptions to rules. The IP address contextual menu provides options to view more information about the associated device, with many of the same options you would find in the Analysis menu used in search summary dashboards.
This screenshot shows the IP contextual menu open after selecting an IP address in the Incident Source column of the Incidents tab.
Incident Details
The Incident Details pane at the bottom of the Incidents Dashboard provides you with information about a selected incident in three areas: Incide nt Details, Triggered Events, and Related Incidents.
Incident Details
The Incident Details include the ID of the incident, specific details about the event that triggered the incident, and the definition of the rule associated with the incident.
Triggered Events
The list of events that triggered the incident. For columns containing an event type, or host or IP information, click on an item to open a contextual menu and view more information about it.
Related Incidents
Use this menu to view related incidents based on the Source, Target, Rule Name, or Reporting IP associated with the selected incident.
Searching for Incidents by Incident Attributes
As your review incidents in your dashboard, you may want to build searches based on attributes from selected incidents. For example, you may want to use the value for the Incident Target attribute in an incident as a filter condition to find similar or related incidents, and then add more conditions based on the results of that search.
- Log in to your Supervisor node.
- Go to Incidents.
- In the Incident Dashboard, select an incident.
- Click on the attribute value for the selected incident that you want to add to the Filter By condition to open the Options menu, and then select Add to Filter.
The type of search will change to Advanced, and the attribute value you selected will be added to the Filter By conditions.
- Click in the Filter By Conditions field to open the Conditions Builder and add other incident attributes.
- Click Refresh when you’re done creating filter conditions to see the results.