Incident Management
此内容尚未提供中文翻译。
Incident Management provides full lifecycle tracking for security incidents — from automatic creation through investigation, escalation, and resolution. Incidents are created automatically from detection rules or manually by analysts.
How Incidents Are Created
Automatic (Detection Engine)
When a critical or high severity detection rule matches events, an incident is automatically created:
Detection Rule (high/critical) → Alert Created → Incident Auto-Created- Deduplication: 1 incident per rule per 24 hours (no duplicates for different target IPs)
- Title format:
[Auto] Rule Name(e.g.,[Auto] TCP SYN Scan Detection) - Includes: Rule name, match count, target, MITRE tactic/technique, query
Manual Escalation
Click Escalate on any alert detail page to create an incident from that alert:
- Title format:
Escalated: Alert Title - Links: Original alert automatically linked to the incident
Manual Creation
Create incidents directly from the Incidents page for ad-hoc security events.
Incident Lifecycle (NIST)
Follows the NIST Computer Security Incident Handling lifecycle:
| Status | Description |
|---|---|
| Open | Newly created, awaiting triage |
| Contained | Threat contained, preventing further spread |
| Eradicated | Root cause removed from environment |
| Recovered | Systems restored to normal operation |
| Closed | Fully resolved and documented |
Views
Table View
Sortable table with columns:
- Incident ID, Severity, Title, Status, Assigned To, Alert Count, SLA, Created
Kanban Board
Visual workflow board with 5 NIST status columns. Drag and drop incidents between columns to update status in real-time.
KPI Dashboard
| Metric | Description |
|---|---|
| Open Incidents | Currently active incidents |
| MTTR | Mean Time to Resolve (calculated from real data) |
| SLA Compliance | % of closed incidents resolved within deadline (real calculation from sla_resolution_deadline vs closed_at) |
| New Today | Incidents opened today |
Incident Detail
Each incident detail page includes:
Summary
- Title, description, severity, status (dropdown to change)
- Assigned analyst, SLA deadline
- Executive summary (auto-generated for detection-created incidents)
Linked Alerts
Alerts correlated to this incident. For auto-created incidents, the triggering detection alert is automatically linked.
Timeline
Chronological activity log: status changes, assignments, comments, linked alerts.
Tasks
Investigation and remediation checklist with completion tracking.
Comments
Analyst notes and investigation findings with user attribution.
AI Analysis (KYRA tab)
AI-powered security analysis with:
- Dual Agent assessment (Global Threat Intel + Internal SOC)
- Quick action buttons for investigation, threat analysis, compliance check
- Chat-based interaction with KYRA AI Security Analyst
Auto-Incident Pipeline
OpenSearch Events Detection Engine Alert Incident───────────────── ──────────────── ───────── ──────────events-* (syslog) ──→ 153 rules/60s ────→ [Detection] rule ──→ [Auto] rulenetwork-logs-* ─────→ Adaptive skip ────→ AI Assessment ─────→ (high/critical only) match_none guard Dual Agent 1 per rule/24hExample Flow
- Detection rule “TCP SYN Scan Detection” (
tcp_flags=2 payload_len=0 source=ndr) matches 18,000+ network flows - Alert created:
[Detection] TCP SYN Scan Detection → 34.149.66.137 - Severity is high → Incident auto-created:
[Auto] TCP SYN Scan Detection - AI agents assess both the alert and the detection rule
- Incident appears in Kanban board under Open column
- Analyst drags to Contained after blocking the scanning IP
SLA Targets
| Severity | Response Time | Resolution Time |
|---|---|---|
| Critical | 15 min | 4 hours |
| High | 30 min | 8 hours |
| Medium | 2 hours | 24 hours |
| Low | 4 hours | 72 hours |
SLA compliance is calculated from real data: closed_at vs sla_resolution_deadline.
Access Requirements
Incident Management requires the Respond (MDR) tier or above.