Incident Attributes
The incidents table includes the various attributes that describe the incident. Some attributes depend on the settings selected when the policy was configured, for example, severity, dataset, and policy that triggered the incident. Some attributes are captured at the time of the incident, for example, the policy response, user response, file, timestamp etc.
The following table provides the list of attributes that are displayed in the incidents table.
| Attribute Name | Description |
|---|---|
| AIAssessed Risk | The risk level assigned to an incident by Linea AI. The risk level is calculated based on the dataset sensitivity, policy severity, and the historical data flows associated with the event. |
| App command line | The command line that started the application for accessing the data. |
| App description | The description of the application used to access the data. |
| App main window title | The title of the main application window. |
| App name | The name of the application used to access the data. |
| App package name | The package name for Modern Windows applications. |
| Assigned to | The user assigned to the incident. You can filter this column by selecting users. |
| Blocked | Aflag indicating whether the event was blocked. |
| Browser page domain | The domain as extracted from the referrer URL. |
| Browser page title | The page title of the website. |
| Browser page url | The referrer URL. |
| Cloud app | The type of cloud application, for example, OneDrive, SharePoint, Google Drive, etc. |
| Cloud app account | The user account used to login to the website. |
| Cloud destination groups | Group name in the cloud app that has been granted sharing access. |
| Cloud domain | Cloud app domain. |
| Cloud messaging groups | The source or destination group name in the cloud messaging app. |
| Cloud messaging users | The source or destination username in the cloud messaging app. |
| Cloud provider | The type of cloud provider storing data, for example, Office 365, Salesforce, etc. |
| Cloud shared role | The cloud sharing access role type, for example, viewer, editor, commenter, etc. |
|---|---|
| Cloud shared type | The scope of users with cloud sharing access, for example, user, group, anyone. |
| Cloud shared with | The cloud app account email addresses that have been granted sharing access. |
| Cloud workspace | Workspace name of the cloud app, for example, the workspace name in Slack. |
| Content attributes | The content attributes that match the dataset in the policy. This column cannot be filtered. |
| Content repository name | The name of the repository containing the data. |
| Content repository org | The organization structure of the content repository. |
| Content uri | The URL path of the content. |
| Created by | Indicates whether the incident was created by a user-defined policy, Linea AI, or a combination of the two. See Linea AI Incidents. |
| Data size | The size of a piece of data, for example, when copy and pasted. |
| Dataset | The dataset that was used to classify the data which was referenced in a policy that matched the event and triggered the incident. You can sort or filter this column by selecting dataset names. |
| Destination file path | The specific location where data resides. |
| Destination location outline | The type of destination location where data resides (e.g., endpoint, website, etc.) |
| Destination type | Ashort outline of the destination location that triggered the incident such as node, hostname for endpoint, email for cloud, device name for removable media. |
| Document tags | The document tags that are applied to the document containing the sensitive data. |
| Domain | The domain name, in the form .sub.domain.tld . |
| Domain category | Aclassification that Cyberhaven maintains to categorize domains based on the type of content, purpose, or industry. |
| Edm attributes | The exact data match attributes that matched and triggered the incident. |
| Email account | The email address identifying a mailbox where the data resides. |
| Email groups | The geographic location of the email account. |
| Endpoint id | Identifier for the endpoint where the event was generated. |
| Event time | The time at which the event that caused the incident occurred. |
| Event type | The type of event that led to data arriving or leaving a location. |
|---|---|
| Explanation | The user explanation provided in the policy response pop-up window. |
| File | The name of the file that caused the incident. You can sort or filter this column by selecting filenames. |
| File extension | The file type or the extension of the file. |
| File size | The size of a file in bytes. |
| Group name | The list of Active Directory groups to which the user accessing the file belongs. |
| Hostname | The hostname of an endpoint or share where the data resides. |
| Incident ID | The unique identifier assigned to an incident. |
| Local machine name | The hostname of the machine where the event happened. |
| Local time UTC | The time in UTC when the data arrived in the silo. |
| Local user name | The username of the user accessing the data. |
| Local user sid | The SID of the user accessing the data. |
| Location | The type of location where data resides, for example, endpoint, website, etc. |
| Md5 hash | The MD5 hash of a file at a location. |
| Media category | The type of removable media. |
| Policy | The policy that matched the event and triggered the incident. You can sort or filter this column by selecting policy names. |
| Printer name | The name of the printer used to access data. |
| Reaction time UTC | The time taken by the end user to respond to the policy response pop-up window. |
| Removable device name | The name of the removable device used to access data. |
| Removable device product id | The 16-bit number assigned to specific USB device models by the manufacturer. |
| Removable device vendor id | The 16-bit number assigned to USB device manufacturers by the USB Implementers Forum. |
| Resolution status | The incident resolution status. |
| Resolution time UTC | The time in UTC when this incident was resolved. |
| Resolved by | The admin user who resolved the incident. |
The policy response to the incident and the status of the pop-up window that displays the policy response message. This column cannot be filtered. The following are the possible values.
| Response | N/A | When the "Response" option in the policy is set to "Monitor", then this attribute is shown as N/Ain the table. |
|---|---|---|
| Response skipped: throttled | If the policy is triggered more than once within 5 seconds, then the pop-up window is not displayed due to throttling. | |
| Response skipped: timeout | If the pop-up window was not displayed to the user due to the session timing out. The possible scenarios could be that the device was rebooted or lost network connectivity. | |
| Response pending | An incident was created but the response from the user popup message was not yet received. The possible scenario could be that the sensor lost network connectivity and did not receive the new incident notification. | |
| Warning shown | The warning message defined in the policy was displayed to the user. | |
| Warning received by endpoint | If the blocking policy for the user action failed, or the user was able to override blocking for this action and perform the next action, then a warning message is still displayed to the user and an incident is created. | |
| Blocked | The policy response pop-up window was displayed to the user and the user action was blocked as per the policy. | |
| Blocked, Response skipped: throttled | If the policy is triggered more than once within 5 seconds, then the user action is blocked but the pop up window is not displayed due to throttling. | |
| Salesforce account domains | Salesforce domain name from user's email address. | |
| Salesforce account name | Name of the Salesforce account. | |
| Sensitivity | The sensitivity rating assigned in the dataset definition. The following are the possible values. Critical High Moderate Low Unrestricted You can filter this column by selecting different sensitivity ratings. | |
| Sensor Type | The type of Cyberhaven sensor that generated the incident, for example, Endpoint Sensor, Cloud Sensor, or Browser Extension. |
| Severity | possible values. Critical High Medium Low Informational | The severity of the incident as defined in the policy. The following are the You can filter this column by selecting severity types. |
|---|---|---|
| SHA256 Hash | The SHA256 hash of a file at a location. | |
| Source file path | The file path location of the source containing the data. | |
| Source location outline | The type of source location where data resides, for example, endpoint, website, etc. | |
| Source type | Ashort outline of the source location that triggered the incident such as node, hostname for endpoint, email for cloud, device name for removable media. | |
| Timestamp | The time in UTC when the incident occurred. You can sort this column by the latest or oldest incidents. | |
| Trigger time | The time taken to trigger an incident. | |
| URL | The exact URL used to access the data. | |
| User | The user who caused the incident. You can sort or filter this column by selecting usernames. | |
| User reaction | This column displays the status of the user's reaction to the policy response pop-up window. This column cannot be filtered. The following are the possible values. | |
| N/A | When the "Response" option in the policy is set to "Monitor", then this attribute is shown as N/Ain the table. | |
| None | There was no user reaction because the pop-up window was not displayed for instance, due to throttling. | |
| Viewed the warning | The user clicked the "I understand" button and did not provide an explanation. | |
| Provided an explanation | The user entered an explanation in the pop-up window. | |
| Acknowledged | The user clicked the "Acknowledge" checkbox on the warning message. | |
| Requested review | The user has requested a policy review. | |
| Self-unblocked | This status applies when a user action is blocked but the user chooses "Allow" in the pop-up window. |