Incidents – HTML5 version
Incident tab allows users to view and manage incidents.
Incident Attributes
This topic describes all the columns that can be used to create views in the Incident Dashboard. You can add or remove columns from the dashboard by clicking the Columns icon.
| Column Name | Description |
| Severity | The severity of the incident, High, Medium, or Low |
| Last Occurred | The last time that the incident was triggered |
| First Occurred | The first time that the incident was triggered |
| Incident | The name of the rule that triggered the incident |
| Incident ID | The unique ID assigned to the incident |
| Source | The source IP or host name that triggered the incident |
| Target | The IP or host name where the incident occurred |
| Detail | Event attributes that triggered the incident |
| Status | The status of the incident, Active, Cleared, Cleared Manually, System Cleared |
| Cleared Reason | For manually cleared incidents, this displays the reason the incident was cleared |
| Cleared Time | The time an incident was cleared |
| Cleared User | The person who cleared the incident |
| Comments | Any comments that users have entered for the incident |
| Ticket Status | Status of any tickets associated with the incident |
| Ticket ID | The ID number of any tickets generated by the incident |
| Ticket User | The person assigned to any tickets generated by the event |
| External User | If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to |
| External Cleared Time | If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared |
| External Resolved Time | If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved |
| External Ticket ID | The ID of the incident in an external ticket-handling system |
| External Ticket State | The state of the incident ticket in an external ticket-handling system |
| External Ticket Type | The type assigned to the incident ticket in an external ticket-handling system |
| Organization | The organization reporting the event |
| Impacts | Organizations impacted by the event |
| Business Service | Business services impacted by the incident |
| Incident Notification
Status |
Status of any notifications that were sent because of the incident |
| Notification Recipients | Who received notification of the incident |
| Incident Count | How many times the incident has occurred during the selected time interval |
Viewing Incidents
Device Risk View of all incidents
List view of all incidents
Viewing incident details
Grouped View of all incidents
Device Risk View of all incidents
This is the default view when user clicks the Incident tab. It shows a list of devices that triggered incidents. Devices are ranked by a risk score that is computed by combining asset criticality, triggered incidents and found security vulnerabilities (details – here).
To see the incidents for a device, click that device. The incidents show up in a time line view.
List view of all incidents
This view provides a list of all incidents over a time period. By default:
Active Incidents over the last 2 hours are displayed
The following incident attributes are shown
Severity – High, Medium, Low – shown by colored icons
Last Occurred – the last time the Incident happened
Reporting Device Name – names of devices that reported the events that led to the incident Incident – rule name
Source – incident source
Target – incident target
Detail – incident parameters other than source and target
Count – number of times the same incident has triggered
To show incidents over a different time interval
Click Time Range Button
A search window appears
To choose a relative time window
Choose Time Range Operator as LAST.
Specify the number of Minutes/Hours/Days/Weeks.
Click Check button.
The Incident page will automatically refresh to show all the incidents over the time window.
To choose an absolute time window
Choose Time Range Operator as FROM.
Specify the starting and end times.
Click Check button.
The Incident page will automatically refresh to show all the incidents over the time window
An incident can be in any of the following states
Active
Cleared
Cleared Manually
System Cleared
By default only Active Incidents are shown. To show Incidents in other states
Click Incident Status Button A search window appears
To add a new value, click on the white space next to the selected value. A menu appears. Select the needed values one by one.
Click Check button
The Incident page will automatically refresh to show all the incidents in selected state(s)
To select a different set of Incident attributes
Click Choose columns icon
In the popup, select the columns you want to display by moving them to the right. You can re-order the position of the columns. ClickOK.To force a refresh of the incident view, click the Refresh icon
Incidents may be displayed over multiple pages. To see incidents on a different page,
Select the Page Selector icon
Either enter the page number or click on the Next or Previous icon to go to the right page
To view incidents for a different organization (Service Provider version),
Click the User icon on top right
Choose the right organization
Click Change View
Viewing incident details
In the default view, an incident is shown in a single line. To see the details of the incident,
Click anywhere on the incident line
Basic incident attributes are shown immediately below the incident More advanced incident attributes are shown in a bottom pane
To revert to the single line incident view, click anywhere on the incident line. Detailed views will disappear.
To view the rule that triggered the incident,
Click anywhere on the incident line in the single line incident view In the bottom pane, Click Rule tab. Rule details are displayed.
To view the events that triggered the incident
Click anywhere on the incident line in the single line incident view
In the bottom pane, Click Events tab. Basic Event attributes are displayed in a single line. To see the raw events, click on the Basic Event line. Raw events are displayed.
Grouped View of all incidents
Sometimes user may need a grouped view of incidents to get an overview of what incidents have triggered and involves which devices. The following grouped views are provided
Severity – Ranks Incident Severities By Count
Name – Ranks the Incidents By Count
Name, Target – Ranks Incident Name and Incident Target By Count
Name, Source – Ranks Incident Name and Incident Source By Count
Name, Source, Target – Ranks Incident Name, Incident Source and Incident Target By Count
Name, Source, Target, Business Service – Ranks Incident Name, Incident Source, Incident Target and Business Services By Count Name, Source, Target, Business Service, Organizations – Ranks Incident Name, Incident Source, Incident Target, Business Services and Organizations By Count
Searching Incidents
Searchable Incident Attributes
Constructing Search Condition
Searchable Incident Attributes
| Incident Attribute | Description |
| Time Range | In |
| ID | Incident ID |
| IP | Incident Source IP or Incident Target IP |
| Host | Host name associated with Incident Source IP or Incident Target IP |
| User | User field specified in Incident Target or Incident Details |
| Severity | Incident Severity category – High, Medium or Low |
| Function | Security, Availability, Performance or Change. This is a property of an Incident. |
| Incident Status | Possible values are Active, Cleared, Cleared Manually, System Cleared |
| Ticket Status | Possible values are New, Open, Closed, External, reopened, None. External means opened in an external system. |
| Incident | Rule name |
| Biz Service | Business Service name |
| Organization | Organization name |
Constructing Search Condition
To construct a Search condition from a displayed Incident,
Mouse over the cell containing the specific Incident attribute
Right click and choose Add to filter
The condition will be added to existing search string
Matching incidents will be displayed
To construct a Search condition from scratch
Click on the Add filter edit area. Three fields are displayed
Incident Attribute
Operator
Value
Select one of the Incident Attributes from the drop down
Select an Operator from =, != IN, NOT IN, CONTAINS, NOT CONTAINS Select one or more Values from the displayed choices Click the Check button.
Matching incidents will be displayed
Managing Incidents
Adding Comments
Clearing Incidents
Exporting Incidents to a PDF document
Adding Comments
Click on an Incident in the un-grouped view From Actions drop down, select Add Comments Write the comment and click OK.
Clearing Incidents
Click on an Incident in the un-grouped view
If you have more incidents to clear, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,
Create a filter to get all the incidents to be cleared in view
Select the first incident
Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Clear Click OK
Exporting Incidents to a PDF document
Click on an Incident in the un-grouped view
If you have more incidents to export, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,
Create a filter to get all the incidents to be exported in view
Select the first incident
Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Export Click OK
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!