Incidents
The Incidents page displays all the incidents that occurred when a user action resulted in a policy response such as Blocked or Warning. The top of the page shows you the total number of incidents under each status type.
When you land on the Incidents page, the "Open" tab displays all the open incidents. Switch between the different tabs to view the incidents under each status type. The different status types are described in detail in the Incident Status section.
The table provides detailed information about each incident. You can expand each incident in the table to view the incident flow details such as policy response, user response, and the dataflow that caused the incident. You can also set the incident status by expanding the incident.
Watch a video that gives you an overview of the Incidents page.
Click here to download a video
Incident Status
Incident status types are the tabs listed at the top of the page, such as Open, Assigned, Closed - Valid Incidents, and Closed - Not Incidents.
You can expand an incident to set the status. The status options are displayed at the beginning of the incident flow. You can share, add comments, assign the incident to users or groups, close the incident, or move the incident back to an open status. You can also select multiple incidents at a time to set the status. All status changes are recorded as part of the incident flow.
Incidents can have the following statuses.
Open
Open status indicates that no action has been taken yet. You can take the following actions on a open incident.
Share
Add Comment
Assign to
Close as a valid incident
Close as not an incident
You can move an incident back to Open from any other status. When an incident is moved back to "Open" the incident is unassigned and the "Assigned To" column for that incident is empty. The incident flow for the incident shows that the status was changed.
For example, when an incident is moved from "Closed" status to "Open", then the incident flow shows Reopened by admin@cyberhaven.com at 2022-12-13, 11:30 .
Assigned
Open incidents can be moved to Assigned status. When you select the "Assign To" status you can select a user to whom the incidents will be assigned. The assigned user will receive an email notifying them that an incident was assigned for review. An assigned incident will no longer appear in the "Open" tab.
Click on the Assigned tab at the top of the page to view all the assigned incidents. The assigned user for each incident is displayed in the "Assigned To" column of the table.
You can take the following actions on an assigned incident.
Share
Add Comment
Re-assign to
Move to open
Close as a valid incident
Close as not an incident
Closed - Valid Incidents
Any incident irrespective of its status can be moved to Closed - Valid Incidents by any user. This status confirms that the incident is valid. The assignee does not change even when a different user closes the incident. Although the action is recorded in the incident flow along with all the previous status changes on the incident.
Click on the Closed - Valid Incidents tab at the top of the page to view all the valid incidents that are closed.
You can take the following actions on an assigned incident.
Share
Add Comment
Move to open
Closed - Not Incidents
Any incident irrespective of its status can be moved to Closed - Not Incidents by any user. This status indicates that the incident was invalid and requires a reason to be provided. The assignee does not change even when a different user closes the incident. Although the action is recorded in the incident flow along with all the previous status changes on the incident.
Click on the Closed - Not Incidents tab at the top of the page to view all the closed invalid incidents. You can take the following actions on an assigned incident.
Share
Add Comment
Move to open
Incident Attributes
The incidents table includes the various attributes that describe the incident. Some attributes depend on the settings selected when the policy was configured, for example, severity, dataset, and policy that triggered the incident. Some attributes are captured at the time of the incident, for example, the policy response, user response, file, timestamp etc.
The following table provides the list of attributes that are displayed in the incidents table.
| Attribute Name | Description |
|---|---|
| AIAssessed Risk | The risk level assigned to an incident by Linea AI. The risk level is calculated based on the dataset sensitivity, policy severity, and the historical data flows associated with the event. |
| App command line | The command line that started the application for accessing the data. |
| App description | The description of the application used to access the data. |
| App main window title | The title of the main application window. |
| App name | The name of the application used to access the data. |
| App package name | The package name for Modern Windows applications. |
| Assigned to | The user assigned to the incident. You can filter this column by selecting users. |
| Blocked | Aflag indicating whether the event was blocked. |
| Browser page domain | The domain as extracted from the referrer URL. |
| Browser page title | The page title of the website. |
| Browser page url | The referrer URL. |
| Cloud app | The type of cloud application, for example, OneDrive, SharePoint, Google Drive, etc. |
| Cloud app account | The user account used to login to the website. |
| Cloud destination groups | Group name in the cloud app that has been granted sharing access. |
| Cloud domain | Cloud app domain. |
| Cloud messaging groups | The source or destination group name in the cloud messaging app. |
| Cloud messaging users | The source or destination username in the cloud messaging app. |
| Cloud provider | The type of cloud provider storing data, for example, Office 365, Salesforce, etc. |
| Cloud shared role | The cloud sharing access role type, for example, viewer, editor, commenter, etc. |
|---|---|
| Cloud shared type | The scope of users with cloud sharing access, for example, user, group, anyone. |
| Cloud shared with | The cloud app account email addresses that have been granted sharing access. |
| Cloud workspace | Workspace name of the cloud app, for example, the workspace name in Slack. |
| Content attributes | The content attributes that match the dataset in the policy. This column cannot be filtered. |
| Content repository name | The name of the repository containing the data. |
| Content repository org | The organization structure of the content repository. |
| Content uri | The URL path of the content. |
| Created by | Indicates whether the incident was created by a user-defined policy, Linea AI, or a combination of the two. See, Incident Management with Linea AI. |
| Data size | The size of a piece of data, for example, when copy and pasted. |
| Dataset | The dataset that was used to classify the data which was referenced in a policy that matched the event and triggered the incident. You can sort or filter this column by selecting dataset names. |
| Destination file path | The specific location where data resides. |
| Destination location outline | The type of destination location where data resides (e.g., endpoint, website, etc.) |
| Destination type | Ashort outline of the destination location that triggered the incident such as node, hostname for endpoint, email for cloud, device name for removable media. |
| Document tags | The document tags that are applied to the document containing the sensitive data. |
| Domain | The domain name, in the form .sub.domain.tld . |
| Domain category | Aclassification that Cyberhaven maintains to categorize domains based on the type of content, purpose, or industry. |
| Edm attributes | The exact data match attributes that matched and triggered the incident. |
| Email account | The email address identifying a mailbox where the data resides. |
| Email groups | The geographic location of the email account. |
| Endpoint id | Identifier for the endpoint where the event was generated. |
| Event time | The time at which the event that caused the incident occurred. |
| Event type | The type of event that led to data arriving or leaving a location. |
|---|---|
| Explanation | The user explanation provided in the policy response pop-up window. |
| File | The name of the file that caused the incident. You can sort or filter this column by selecting filenames. |
| File extension | The file type or the extension of the file. |
| File size | The size of a file in bytes. |
| Group name | The list of Active Directory groups to which the user accessing the file belongs. |
| Hostname | The hostname of an endpoint or share where the data resides. |
| Incident ID | The unique identifier assigned to an incident. |
| Local machine name | The hostname of the machine where the event happened. |
| Local time UTC | The time in UTC when the data arrived in the silo. |
| Local user name | The username of the user accessing the data. |
| Local user sid | The SID of the user accessing the data. |
| Location | The type of location where data resides, for example, endpoint, website, etc. |
| Md5 hash | The MD5 hash of a file at a location. |
| Media category | The type of removable media. |
| Policy | The policy that matched the event and triggered the incident. You can sort or filter this column by selecting policy names. |
| Printer name | The name of the printer used to access data. |
| Reaction time UTC | The time taken by the end user to respond to the policy response pop-up window. |
| Removable device name | The name of the removable device used to access data. |
| Removable device product id | The 16-bit number assigned to specific USB device models by the manufacturer. |
| Removable device vendor id | The 16-bit number assigned to USB device manufacturers by the USB Implementers Forum. |
| Resolution status | The incident resolution status. |
| Resolution time UTC | The time in UTC when this incident was resolved. |
| Resolved by | The admin user who resolved the incident. |
The policy response to the incident and the status of the pop-up window that displays the policy response message. This column cannot be filtered. The following are the possible values.
| Response | N/A | When the "Response" option in the policy is set to "Monitor", then this attribute is shown as N/Ain the table. |
|---|---|---|
| Response skipped: throttled | If the policy is triggered more than once within 5 seconds, then the pop-up window is not displayed due to throttling. | |
| Response skipped: timeout | If the pop-up window was not displayed to the user due to the session timing out. The possible scenarios could be that the device was rebooted or lost network connectivity. | |
| Response pending | An incident was created but the response from the user popup message was not yet received. The possible scenario could be that the sensor lost network connectivity and did not receive the new incident notification. | |
| Warning shown | The warning message defined in the policy was displayed to the user. | |
| Warning received by endpoint | If the blocking policy for the user action failed, or the user was able to override blocking for this action and perform the next action, then a warning message is still displayed to the user and an incident is created. | |
| Blocked | The policy response pop-up window was displayed to the user and the user action was blocked as per the policy. | |
| Blocked, Response skipped: throttled | If the policy is triggered more than once within 5 seconds, then the user action is blocked but the pop up window is not displayed due to throttling. | |
| Salesforce account domains | Salesforce domain name from user's email address. | |
| Salesforce account name | Name of the Salesforce account. | |
| Sensitivity | The sensitivity rating assigned in the dataset definition. The following are the possible values. Critical High Moderate Low Unrestricted You can filter this column by selecting different sensitivity ratings. | |
| Sensor Type | The type of Cyberhaven sensor that generated the incident, for example, Endpoint Sensor, Cloud Sensor, or Browser Extension. |
| Severity | possible values. Critical High Medium Low Informational | The severity of the incident as defined in the policy. The following are the You can filter this column by selecting severity types. |
|---|---|---|
| SHA256 Hash | The SHA256 hash of a file at a location. | |
| Source file path | The file path location of the source containing the data. | |
| Source location outline | The type of source location where data resides, for example, endpoint, website, etc. | |
| Source type | Ashort outline of the source location that triggered the incident such as node, hostname for endpoint, email for cloud, device name for removable media. | |
| Timestamp | The time in UTC when the incident occurred. You can sort this column by the latest or oldest incidents. | |
| Trigger time | The time taken to trigger an incident. | |
| URL | The exact URL used to access the data. | |
| User | The user who caused the incident. You can sort or filter this column by selecting usernames. | |
| User reaction | This column displays the status of the user's reaction to the policy response pop-up window. This column cannot be filtered. The following are the possible values. | |
| N/A | When the "Response" option in the policy is set to "Monitor", then this attribute is shown as N/Ain the table. | |
| None | There was no user reaction because the pop-up window was not displayed for instance, due to throttling. | |
| Viewed the warning | The user clicked the "I understand" button and did not provide an explanation. | |
| Provided an explanation | The user entered an explanation in the pop-up window. | |
| Acknowledged | The user clicked the "Acknowledge" checkbox on the warning message. | |
| Requested review | The user has requested a policy review. | |
| Self-unblocked | This status applies when a user action is blocked but the user chooses "Allow" in the pop-up window. |