Kaspersky Next XDR Expert

Managing incident workflows

Kaspersky Next XDR Expert allows you to configure a flexible incident workflow. Kaspersky Next XDR Expert also visualizes the workflow in the visual editor.

The incident workflow is a set of statuses and transitions that an incident goes through during its lifecycle. Status is a step in the incident handling process. Transition helps the incident to move between different statuses. A transition is a link that allows you to configure transitions from one incident status to another and back. If necessary, you can use a transition as a one-way link.

You can create an incident workflow or use a predefined workflow that you can customize.

You also can assign a workflow to the incident types. This will help you manage the incident lifecycle in the most convenient way.

Page top
[Topic 280090]

Viewing incident workflows table

To view the incident workflows table:

  1. In the main menu, go to Settings → Tenants.
  2. Click the name of the required tenant.

    The tenant's properties window opens.

  3. On the Settings tab, click Incident management, and then select the Workflows tab.

The incident workflows table is displayed.

To configure the incident workflows table, do any of the following:

  • Click the filter icon (The Filter icon.) button, and then specify and apply the filter criterion in the invoked menu.
  • To hide or display a column, click the settings icon (The Setting icon.), and then select the necessary column.

The incident workflows table is configured and displays the data you need.

The incident workflows table contains the following information:

  • Name. Name of the custom or predefined incident workflow.
  • Linked types. Number of linked incident types.
  • Tenant name. Name of the tenant to which the incident workflow belongs.
  • Creation type. Way the incident workflow was created. Possible values:
    • Custom.
    • Predefined.
  • Workflow ID. Unique identifier of the incident workflow. By default, this column is hidden.
  • Description. Incident workflow description.By default, this column is hidden.

Page top
[Topic 283202]

Predefined incident workflows

Kaspersky Next XDR Expert allows you to manage incidents by using the predefined incident workflow. In the incident workflows table, such workflow is named Standard. In the Creation type column, these workflows are marked as Predefined.

If necessary, you can edit the predefined workflow to customize it.

The table below shows the statuses of the predefined workflow, and the reasons why incidents switch to these statuses.

Status

Reasons

Initial

  • A new incident has been created (manually or automatically).
  • The incident status has been changed to Initial from one of the following statuses: In progress, On hold, or Done.

In progress

The user manually changed the incident status from Initial or On hold to In progress.

On hold

The user manually changed the incident status from In progress to On hold.

Done

  • The user closed the incident.
  • The user linked the incident to another similar incident that has not been closed yet.

Page top
[Topic 283172]

Creating incident workflows

The incident workflow allows you to manage incident lifecycle.

To create an incident workflow:

  1. In the main menu, go to Settings → Tenants.
  2. Click the name of the required tenant.

    The tenant's properties window opens.

  3. On the Settings tab, click Incident management, and then select the Workflows tab.
  4. Click the Create button.

    The Create workflow window opens.

    By default, each incident workflow contains predefined statuses Initial and Done. You cannot delete or edit these statuses.

  5. In the Name field, enter the name of the new workflow.
  6. If necessary, in the Description field, enter a workflow description or a comment.
  7. To add new statuses, in the Workflow section, click Add status.
  8. In the window that opens, specify the following settings:
    1. In the Status name field, enter the name of the new status.
    2. In the Category field, select one of the following status categories:
      • Initial
      • In progress
      • Resolved
      • Done

      The category determines the color of the status icon.

    3. In the Incoming transition field, select one or several incoming statuses.

      If you want to configure a transition from all statuses to the incoming statuses, select the Allow all statuses to transition to this one option.

    4. In the Outgoing transition field, select one or several outgoing statuses.

      If you want to configure a transition from the outgoing statuses to all statuses, select the Allow this status to transition to all statuses option.

    5. Click Add.

      The visualized workflow is displayed in the Create workflow window.

      If necessary, repeat steps 7-8e to add new statuses.

  9. In the Create workflow window, click Save.

The new incident workflow is displayed in the table.

Page top
[Topic 280356]

Editing incident workflows and statuses

You can edit workflow properties, as well as workflow' statuses and transitions.

To edit the incident workflow:

  1. In the main menu, go to Settings → Tenants.
  2. Click the name of the required tenant.

    The tenant's properties window opens.

  3. On the Settings tab, click Incident management, and then select the Workflows tab.
  4. Click the name of the workflow that you want to edit.

    The Edit workflow window opens.

  5. Edit the workflow properties. For more details on the workflow properties that you can edit, see Creating incident workflows.

The workflow's properties are modified and saved.

To edit statuses of the incident workflow:

  1. In the main menu, go to Settings → Tenants.
  2. Click the name of the required tenant.

    The tenant's properties window opens.

  3. On the Settings tab, click Incident management, and then select the Workflows tab.
  4. Click the name of the workflow that you want to edit.

    The Edit workflow window opens.

  5. Click the name of the status that you want to edit.

    The Edit status window opens.

  6. Edit the status and transition settings. For more details on the status settings that you can edit, see Creating incident workflows.

    If necessary, you can delete the status by clicking the Delete button.

    You cannot edit the name and the category of the following predefined statuses: Initial and Done statuses. You also cannot delete these predefined statuses.

    You cannot delete a status if it is assigned to an incident.

  7. Click the Save button.

The workflow statuses are modified and saved.

Page top
[Topic 282797]

Deleting incident workflows

You cannot delete the incident workflow if there are linked incident types that belong to the parent or child tenant. In this case, you need to assign a different workflow to the linked incident types, and then try to delete incident workflow again.

If you want to delete a workflow that is used in a playbook, before deleting, edit the playbook's trigger and/or algorithm to avoid errors.

To delete an incident workflow:

  1. In the main menu, go to Settings → Tenants.
  2. Click the name of the required tenant.

    The tenant's properties window opens.

  3. On the Settings tab, click Incident management, and then select the Workflows tab.
  4. In the list of workflows, select the workflow that you want to delete, and then click Delete.
  5. In the confirmation dialog box, click Delete.

The incident workflow is deleted.

Page top
[Topic 282811]