Applies To: ThreatSync
Incidents can have one of these statuses:
- New — New incidents not yet reviewed in the Incident Details page.
- Read — Incidents reviewed in the Incident Details page or manually marked as Read.
- Archived — Incidents archived by an automation policy or manually archived because an analyst determined that the threat is no longer a concern.
You can change the status of incidents in the Incidents page or Incidents Details page. For example, after an action completes for a specific incident, you can change its status to Archived to keep your incident list organized. By default, the Incidents page shows only incidents with a status of New and Read.
You can also configure automation policies to automatically archive incidents that meet specific conditions. For more information on automation policies, go to About ThreatSync Automation Policies.
To archive or change the status of an incident, from the Incidents page:
- Select Monitor > Threats > Incidents.
The Incidents page opens. - In the left column, select the check box for one or more incidents.
The Change Status and Actions menus appear.
- From the Change Status drop-down list, select a status for the selected incidents.
The Change Status dialog box opens. - (Optional) Enter a comment for the status change.
Comments appear in the Comments pane of the Incident Details page. For more information, go to Review Incident Details.
- Click Change Status.
The Incident list updates with the new status.
To archive an incident, from the Incident Details page:
- Select Monitor > Threats > Incidents.
The Incidents page opens. - Click an incident in the incident list.
The Incident Details page opens. - To archive the incident, click Archive in the upper-right of the page.
- (Optional) In the Change Status dialog box, enter a comment for the status change.
Comments appear in the Comments pane of the Incident Details page. For more information, go to Review Incident Details.
- Click Change Status.
The Incident list updates with the new status.