Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

content-

...

layer
id162122236
Content Column
id162122248
Content Block
background-color$lightGrayColor
id162122234

Topics Discussed

Table of Contents
maxLevel3
minLevel3

Content Block
id162122237
Note

To fully use this screen, you must have the following

permission

permissions assigned to your account:

  • Read
Dashboard Statistics
  • Security Offenses

...

Excerpt

Excerpt Include
ESLP:Security Incidents - Overview (snippet)
ESLP:Security Incidents - Overview (snippet)
nopaneltrue

Anchor
Access the

...

Incidents

...

Screen
Access the

...

Incidents

...

Screen
Access the

...

Incidents Screen


  1. In the Armor Management Portal (AMP), click Security
  2. Click 

...

  1. Incidents

    Note

    The default view is pre-filtered to display incidents only. Click Filters + Settings to adjust the view to also display detections.

    ColumnDescription

...

  1. IDThis is the unique ID of the

...

  1. security incident.

...

  1. SummaryA brief

...

  1. description of the

...

You will only see an incident if you are listed as a recipient on the support ticket or if you opened the support ticket. 

...

  1. incident found.
    Severity

    There are four

...

  1. severity types:

    • Low
    • Medium
    • High
      • Critical

...

There are two status types:

  • Open
  • Requires Attention

...

Note

To learn more, see Health Overview Dashboard.

Close A Security Incident 

...

  1. TagsArmor will "tag" a detection with Incident if it requires security attention, and is a potential threat.
    EventsA count of events that triggered a detection or incident in the Armor correlation engine.
    Status

    The current status of the incident or detection.

    • If an incident has a corresponding ticket, then the status of the ticket will display.
    • If a detection does not have a corresponding ticket, then the status will display Closed.



  2. Expand the row to view the First and Last Event Date.
  3. Click Filters + Settings to filter the data that displays in the table.
    1. Filter by Severity, Tags, or Status.
      1. Click Apply Filters to save your changes.
    2. In Table Settings, you can customize the view of your table.
    3. Click Save Settings to save your changes.


Anchor
View Alert Details
View Alert Details
View Incident Details


  1. In the Armor Management Portal (AMP), click Security
  2. Click Incidents
  3. Locate and select the incident that you want to view.


    Incident Details

    FieldDescription
    Full IDThis is the unique ID of the alert.
    First Event DateThe date and time of the first event tracked for this alert.
    Last Event DateThe date and time of the last event tracked for this alert.
    StatusThe status of the detection/incident.
    Event CountThe total number of events tracked for this alert.
    Categories

    The categories used by Armor to group detections, based on the correlation rule(s) that triggered the detection and the associated events.

    Event Details

    ColumnDescription
    Name The descriptive name of the event.
    Source IPThe source network address associated with the event.
    Dest. IPThe destination network address associated with the event.
    TimestampThe date and time that the event occurred.
    Log SourceThe data source of the event log.
    CategoryThe category assigned based on the correlation rule(s) that triggered the detection and the associated event.
  4. Click Filters + Settings to filter the data that displays in the table.

    1. Click Apply Filters to save your changes.
  5. In Table Settings, you can customize the view of your table.
    1. Click Save Settings to save your changes.


Anchor
View Support Ticket Details
View Support Ticket Details
View Support Ticket Details


Note

In order to view a ticket, you must be a member of the organization that the ticket was created in.

  1. In the Armor Management Portal (AMP), click Security
  2. Click Incidents
  3. Locate and select the incident that you want to view.
  4. Click View Ticket.
    1. The ticket details from the Armor Ticketing System (ATS) will open in a new window.


Anchor
Close a Security Incident
Close a Security Incident
Close A Security Incident 


Only Armor Support can close a security incident. However, after you have performed the troubleshooting tips suggested by Armor Support,

...

simply enter a comment expressing your desire to close the ticket.

...

Armor Support will verify and confirm that the

...

security incident has been properly addressed, and then they will close the ticket. 

Only Armor Support can close a Security Incident. 

...


Info

Anchor
Troubleshoot the

Security

Incidents screen
Troubleshoot the

Security

Incidents screen
Troubleshooting

Excerpt Include
ESLP:Troubleshoot the Security Incidents screen (snippet)ESLP:Troubleshoot the Security Incidents screen (snippet)
nopaneltrue

...

If you do not see any data in the Incidents screen, consider that: 

  • Your account does not have any security incidents to display. 
    • Armor is responsible for adding security-related incidents to this screen. 
  • You do not have permissions to view security incidents.
    • You must have the Read Security Alerts and Read Security Offenses permissions enabled to view security incidents in this screen. Contact your account administrator to enable this permission. To learn how to update you permissions, see Roles and Permissions.



Related Documentation 

Content by Label
showLabelsfalse
showSpacefalse
sorttitle
cqllabel in ("support_ticket","response","dashboard")




Was this helpful?
Rate Macro

Scrolltotop