Incident Management
Incidents represent confirmed or suspected security events requiring coordinated response. The One Security provides a full incident lifecycle from alert promotion through resolution and post-incident review.
Incident Lifecycle
New → Open → Investigating → Contained → Resolved / Closed
| Status | Description |
|---|---|
| New | Incident created, not yet assigned |
| Open | Acknowledged, actively being worked |
| Investigating | Root cause analysis underway |
| Contained | Threat neutralized; remediation in progress |
| Resolved | Fully remediated and documented |
| Closed | Closed without full remediation (e.g., false positive after investigation) |
Severity Levels
| Severity | Typical Criteria |
|---|---|
| Critical | Active breach, data exfiltration, ransomware in progress |
| High | Confirmed compromise, privileged account abuse |
| Medium | Suspicious activity, policy violation, unconfirmed threat |
| Low | Informational finding, minor policy deviation |
Alert to Incident Promotion
Alerts in the SIEM can be promoted to incidents when investigation reveals confirmed or high-confidence malicious activity. From the Alert detail view, click Create Incident to promote the alert. The alert is linked to the incident and its history is preserved.
Alert Detail View
Navigate to SecOps → Alerts → [alert] to see the full alert context:
- Detection timestamp and source
- Category and severity
- Status history
- Linked incident (if promoted)
Incident Detail View
Navigate to SecOps → Incidents → [incident] to see:
- Title, severity, and current status
- Assigned analyst
- Opened date and SLA timer
- Full incident timeline
- Linked alerts
- Notes and updates
Creating an Incident Manually
From the Security Command Center or the Incidents list, click Create Incident and provide:
- Title
- Severity (Critical / High / Medium / Low)
- Description
PSA Ticket Integration
Critical and High severity incidents can create PSA tickets automatically. This surfaces the incident as a service request in your PSA queue, ensuring it is captured in your standard workflow and SLA tracking.
Post-Incident Review
After an incident is resolved, document the root cause, timeline, and lessons learned in the incident notes. This creates an audit trail for compliance and drives detection rule improvements.