Managing incidents

An incident is a record about an application event associated with a possible data leak. Kaspersky Security generates incidents in the following cases:

Each incident contains detailed information about incident-related files and users and the reason why the incident has been generated. This information is needed to analyze and investigate possible data leaks.

The incident workflow process is regulated by job descriptions of security officers and may vary depending on the incident workflow regulations adopted within an organization.

Managing the incident workflow process

The incident workflow process can be managed as follows:

Incident comments can be added while changing the incident status or viewing the incident history.

Selecting incidents to manage

The application adds all incidents that have been generated to the list of incidents in the Incidents node. You can change the appearance of the incident list by changing the incident information displayed in the table.

The application automatically assigns the New status to an incident when it is generated. New incidents available for processing can be displayed by refreshing the incident list.

You can use the incident filter to search for incidents according to specific criteria (such as incidents related to a specific user). You can use the search for similar incidents to handle similar incidents, i.e., those who share identical data.

Viewing incident details and processing incidents

You can start managing new incidents by viewing the incident details.

Incidents assigned for processing must have their status changed to In progress. If the company has several security officers, this will help them to coordinate their workflows.

To make a decision on an incident, you have to look at the context of the policy violation. The violation context is displayed in the incident details window. The violation context contains all text fragments that contain data indicating the violation. Keywords or table data in each fragment are highlighted in red. If the context of the violation is insufficient to make a decision on an incident, you can open the incident-related file on SharePoint.

When you point the mouse pointer on a text fragment that indicates a violation, a tooltip with the name of the data subcategory appears next to the pointer (see the figure below). A subcategory is a nested, embedded data category included in a larger category. The subcategory name helps to define more accurately the area of the category to which data belongs.

ks90_pict_subcategory

The subcategory name is displayed in a pop-up hint

You can add the web address of the file associated with the incident to exclusions. This helps you to reduce the number of false positive incidents generated when scanning template-based documents (such as uniform contracts or statements). The application adds the web address of a file to exclusions as follows:

If the incident was generated while running a search task of Kaspersky Security 9.0 , you cannot add the file's web address to exclusions for the search task.

If you need to export incident information to prepare an official memo, you can copy the incident details to clipboard.

Finishing incident management

Following analysis of incident information, an incident can be assigned one of the following statuses:

After finishing incident processing, you can remove them from the list of incidents by archiving them.

You are advised to perform archiving of incidents once the number of incidents exceeds 100,000. Kaspersky Security can be unstable when the number of incidents increases to 300,000.

Restoring incidents

You can consult archived incidents, if necessary, by restoring incidents. The application automatically assigns Archival status to all restored incidents.

After you finish processing these incidents, you can remove them from the list.

See also

Updating the list of incidents

Viewing incident details

Changing the status of an incident

Changing incident details displayed in the table

Archiving incidents

Restoring incidents from the archive

Deleting archived incidents

Page top