Adding a status, cause, expert opinion or note to an incident or incident group
Kaspersky MLAD lets you add an expert opinion or note to a registered incident.
The functionality is available after a license key is added.
An expert opinion is normally added by an expert (process engineer or ICS specialist) and may contain an incident analysis or recommendations on resolving a problem that is indicated by an identified incident. An expert opinion can be added to an individual incident or to a group of incidents. If expert opinions were previously added to incidents that are later put into a group, these opinions will also be displayed in the group (linked to each specific incident). When incidents are regrouped, the expert opinion for an incident migrates together with the incident to the new group.
Notes are intended to aid discussions between experts or operators of facilities regarding recommended actions for analysis, investigation, and remediation of an incident. Each note includes information stating who added the note and when it was added.
You can also add the cause of the incident and the incident status determined by the expert based on the incident analysis results. A status can be assigned to an individual incident or to a group of incidents. When changing the status of a group of incidents, Kaspersky MLAD changes the status of the incidents that are part of this group. The status of an incident also affects whether a dot indicator for it will be displayed under Monitoring and History and whether an incident notification with this status will be sent. If the Notify about an incident check box is cleared for the incident status, the incident dot indicators to which this status was assigned automatically will not be displayed under Monitoring or History, and no email notifications about incidents will be sent. An incident status can be assigned automatically in one of the following cases:
- If the incident was automatically assigned to a group with that status.
- If the incident is registered by an ML model element that sets that incident status by default.
For the Problem closed and Ignore statuses, the Notify about an incident check box is cleared by default. If during registration, incidents are automatically assigned one of these statuses in accordance with the status specified for the ML model element that registered this incident, notifications about these incidents will not be sent.
If you know in advance the expert opinion, cause, and/or status of incidents registered by a specific ML model element, you can enter that information in the element parameters. The expert opinion, reason, and/or status will be automatically assigned to incidents at the time of their registration by the element.
Before adding a cause, status, note or expert opinion, you must conduct an analysis of the registered incident.
To add an expert opinion, status, cause, or note to an incident:
- In the main menu, select the Incidents section.
- If necessary, change the incident status by selecting one of the following statuses from the Incident status drop-down list: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore, or False positive.
By default, an incident is assigned the Unknown status. If necessary, the system administrator can create, edit, or delete statuses of incidents.
- To display detailed technical specifications of an incident, click the
button near the relevant incident. In the details area that opens, you can do the following:- If you need to add the cause of an incident, use the Incident cause field to select the cause of the incident.
If necessary, the system administrator can create, edit, or delete causes of incidents.
- If you need to add an expert opinion based on an analysis of a registered incident, click the
button on the right of the Expert opinion field, enter the opinion in the opened field and press ENTER.The expert opinion will be added to the selected incident and will appear in the incidents table in the Incidents section.
- If you need to add a note to an incident, enter your message in the Note field and click the Add note button.
You can provide a message up to 512 characters long.
- If you need to add the cause of an incident, use the Incident cause field to select the cause of the incident.
The status, cause, expert opinion, and note will be added to the incident and will be available to other users when viewing this incident.
When two or more similar incidents are detected, Kaspersky MLAD automatically combines them into a group. The group name is also automatically assigned in the format Group #N (N is replaced by the sequence number of the group). You can edit the group name, change the status of an incident group, and edit the expert opinion containing recommendations for analyzing similar events, for example.
To add a status and expert opinion to a group of incidents:
- In the main menu, select the Incidents section and click Groups.
- If necessary, change the incident group status by selecting one of the following statuses from the Status drop-down list: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore, or False positive.
When changing the status of a group of incidents, Kaspersky MLAD changes the status of the incidents that are part of this group. By default, a group of incidents is assigned the Unknown status.
If necessary, the system administrator can create, edit, or delete statuses of incidents.
- In the incident groups table, double-click the row of the incident group.
The Edit group window opens.
- To change the name of the incident group, enter a new name for the group in the Group name field.
- In the Expert opinion field, enter the text of the expert opinion (for example, recommendations for analyzing similar incidents).
- Click the Save button.
The status and expert opinion will be changed for the incident group and can now be viewed by other users in the Groups table in the Incidents section.