Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Incident Management in Log360 Cloud

Log360 Cloud helps you streamline the process of managing and investigating security incidents. You can track the status of security incidents by navigating to the Alerts tab → Incident.

Viewing and editing incidents

In the Incident page, you can view the list of all incidents in your network along with crucial information such as the assignee, status, and severity. You can click on any incident to view and edit the incident's name, description, assignee, status, and severity. The Evidence and Notes tab displays the list of evidence and notes attached to an incident. The Activity Logs page records and displays the events pertaining to the creation, modification, and deletion of incidents.

The incident page displays details such as the age of the incident, who created it, and when it was created.

The Actors widget contains the list of users, entities, services, and processes responsible for the incident to help the assignee quickly investigate the incident and take remedial action.

Steps to create an incident

You can create an incident in Log360 Cloud by navigating to the Alerts tab → Incident → +Add Incident.

In the Incident page, enter a name and description for your incident in the respective fields.
Select the assignee, severity, and status of your incident from the respective drop-down menus.
Click on Create.

You can view the incident creation event being logged in the Activity Logs pane.

Additionally, you can create incidents in Log360 Cloud by:

Mapping alerts as incidents
Mapping search results as incidents
Mapping reports as incidents

Steps to map alerts as incidents

In Log360 Cloud, you can map a triggered alert as an incident, assign a security technician to respond to the incident, and track its status by following the steps given below:

Navigate to the Alerts tab.
Select the alert for which you want to create an incident.
Click on the +Add to Incident button present at the top of the alerts table and click on the +Add New Incident option to create a new incident.
Enter the name and description of the incident.
Select the assignee, status, and severity of the incident from the respective drop-down menus.
Click on Create.

You can also add an alert as evidence to an incident by selecting the alert, clicking on the +Add to Incident button, and selecting the required incident from the list displayed.

The alert can now be viewed under the Evidence tab of the selected incident.

Steps to map search results as incidents

Log360 Cloud allows you to map search results as incidents to help you backtrack an attack and conduct root cause analysis by following the steps given below:

Navigate to the search tab and execute the required search query.
In the search results pane, click on the Incident button.
Now, select the search result(s) you want to add to an incident.
Click the +Add to Incident button and choose the incident to which you want to add the search result(s).
Alternatively, you can also create a new incident to map the selected search results by clicking the +Add New Incident link.
If you're creating a new incident, enter a name and description for the incident. Select the assignee, status, and severity from the respective drop-down menus.
Click Create.

You can now view the search results added as evidence under the Evidence tab of the incident.

Steps to map reports as incidents

If anomalies are detected in a report, you can further investigate the deviant events specified in the report by mapping those events as incidents and thoroughly examining them by assigning a dedicated IT security professional. You can map reported events as incidents in Log360 Cloud by following the steps given below:

Navigate to the Reports tab and click the report you want to add as an incident.
Click the Incident button and select the events of interest.
Click the +Add to Incident button and select the name of the incident to which you want to add the selected events.
Alternatively, you can also create a new incident by clicking the +Add New Incident link.
If you're creating a new incident, enter a name and description for the incident. Select the assignee, status, and severity from the respective drop-down menus.
Click Create.

You can now view the events of the report listed under the Evidence tab of the selected incidents.

Creating Incident views

You can view the incidents under various categories such as All incidents, Active incidents, and Critical incidents by selecting the required view from the Select View drop-down menu. You can also create custom views by configuring a filter for the type of incidents you want to view.

Apply the filter and click the Save as View link to enter a name for the view and click Save. Custom views are personal to the users who created them and can be viewed only by them. You can edit and delete the custom view by hovering your mouse pointer over the created view in the Select View drop-down menu.

Note: Based on your current subscription, incident management will work only if alerts are not restricted.