Contents
Managing incident workflows
Kaspersky Next XDR Expert allows you to configure a flexible incident workflow. Kaspersky Next XDR Expert also visualizes the workflow in the visual editor.
The incident workflow is a set of statuses and transitions that an incident goes through during its lifecycle. Status is a step in the incident handling process. Transition helps the incident to move between different statuses. A transition is a link that allows you to configure transitions from one incident status to another and back. If necessary, you can use a transition as a one-way link.
You can create an incident workflow or use a predefined workflow that you can customize.
You also can assign a workflow to the incident types. This will help you manage the incident lifecycle in the most convenient way.
Page topViewing incident workflows table
To view the incident workflows table:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management, and then select the Workflows tab.
The incident workflows table is displayed.
To configure the incident workflows table, do any of the following:
- Click the filter icon (
) button, and then specify and apply the filter criterion in the invoked menu.
- To hide or display a column, click the settings icon (
), and then select the necessary column.
The incident workflows table is configured and displays the data you need.
The incident workflows table contains the following information:
- Name. Name of the custom or predefined incident workflow.
- Linked types. Number of linked incident types.
- Tenant name. Name of the tenant to which the incident workflow belongs.
- Creation type. Way the incident workflow was created. Possible values:
- Custom.
- Predefined.
- Workflow ID. Unique identifier of the incident workflow. By default, this column is hidden.
- Description. Incident workflow description.By default, this column is hidden.
Predefined incident workflows
Kaspersky Next XDR Expert allows you to manage incidents by using the predefined incident workflow. In the incident workflows table, such workflow is named Standard. In the Creation type column, these workflows are marked as Predefined.
If necessary, you can edit the predefined workflow to customize it.
The table below shows the statuses of the predefined workflow, and the reasons why incidents switch to these statuses.
Status |
Reasons |
Initial |
|
In progress |
The user manually changed the incident status from Initial or On hold to In progress. |
On hold |
The user manually changed the incident status from In progress to On hold. |
Done |
|
Creating incident workflows
The incident workflow allows you to manage incident lifecycle.
To create an incident workflow:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management, and then select the Workflows tab.
- Click the Create button.
The Create workflow window opens.
By default, each incident workflow contains predefined statuses Initial and Done. You cannot delete or edit these statuses.
- In the Name field, enter the name of the new workflow.
- If necessary, in the Description field, enter a workflow description or a comment.
- To add new statuses, in the Workflow section, click Add status.
- In the window that opens, specify the following settings:
- In the Status name field, enter the name of the new status.
- In the Category field, select one of the following status categories:
- Initial
- In progress
- Resolved
- Done
The category determines the color of the status icon.
- In the Incoming transition field, select one or several incoming statuses.
If you want to configure a transition from all statuses to the incoming statuses, select the Allow all statuses to transition to this one option.
- In the Outgoing transition field, select one or several outgoing statuses.
If you want to configure a transition from the outgoing statuses to all statuses, select the Allow this status to transition to all statuses option.
- Click Add.
The visualized workflow is displayed in the Create workflow window.
If necessary, repeat steps 7-8e to add new statuses.
- In the Create workflow window, click Save.
The new incident workflow is displayed in the table.
Page topEditing incident workflows and statuses
You can edit workflow properties, as well as workflow' statuses and transitions.
To edit the incident workflow:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management, and then select the Workflows tab.
- Click the name of the workflow that you want to edit.
The Edit workflow window opens.
- Edit the workflow properties. For more details on the workflow properties that you can edit, see Creating incident workflows.
The workflow's properties are modified and saved.
To edit statuses of the incident workflow:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management, and then select the Workflows tab.
- Click the name of the workflow that you want to edit.
The Edit workflow window opens.
- Click the name of the status that you want to edit.
The Edit status window opens.
- Edit the status and transition settings. For more details on the status settings that you can edit, see Creating incident workflows.
If necessary, you can delete the status by clicking the Delete button.
You cannot edit the name and the category of the following predefined statuses: Initial and Done statuses. You also cannot delete these predefined statuses.
You cannot delete a status if it is assigned to an incident.
- Click the Save button.
The workflow statuses are modified and saved.
Page topDeleting incident workflows
You cannot delete the incident workflow if there are linked incident types that belong to the parent or child tenant. In this case, you need to assign a different workflow to the linked incident types, and then try to delete incident workflow again.
If you want to delete a workflow that is used in a playbook, before deleting, edit the playbook's trigger and/or algorithm to avoid errors.
To delete an incident workflow:
- In the main menu, go to Settings → Tenants.
- Click the name of the required tenant.
The tenant's properties window opens.
- On the Settings tab, click Incident management, and then select the Workflows tab.
- In the list of workflows, select the workflow that you want to delete, and then click Delete.
- In the confirmation dialog box, click Delete.
The incident workflow is deleted.
Page top