Product guides

Incidents Classification Workflow

Suggest Edits

Description

Incidents can go through several phases:

  • Unclassified - the initial state of each new incident. The incident is considered unclassified until it's moved to Under Review, or added to either the Allow list or Denylist. Unclassified incidents appear in the "Unclassified incidents" tab on the dashboard.
  • Under Review - An optional state in which the incident can be marked for further inspection to better assess whether its behavior is acceptable and should be allowed (i.e. be moved to the Allow list) or should be prevented (i.e. be moved to the Deny list). Under Review incidents appear in the Incidents under review tab.
  • Classified - The incident has been added to either the Allow list or Deny list, and is no longer shown on the Dashboard.

The Unclassified incidents tab displays only incidents that have not yet been classified.

image.png

The Under review incidents tab, displays incidents that are currently being reviewed.

image.png

Workflow

Move an Incident to Under Review

When a script's behavior should be verified by a specific individual or team, the customer should click the relevant incident and choose Move to Incidents under review:

image.png

The Move to Incidents under review dialog window opens.
The customer can tag/label the incident, as well as share it to the relevant person or team via pre-configured integration channels (create a new JIRA, send a Slack message or an email).

image.png

Choosing a label or creating a new one. Any new label is saved for future use:

image.png

image.png

Choosing from an existing integration:

image.png

When no integrations are configured, the customer can click Create your first integration to configure a new integration.

image.png

When ready, the customer can click the Move to Under review & share button.
The incident will be marked and can now be found in the Incidents under review tab.
The specific labels and shared channels of the incident are displayed under the Under review column in the Incidents Per Host Domain table (or Incidents Per Application table, if Application View is selected on the top).

image.png

Once the inspection is complete and there's a better understanding of the specific script’s behavior, the incident can safely be allowed or denied.

Add an incident to an allowlist

When a script's behavior is known and acceptable, the customer should click the relevant incident and choose Add to allowlist (don't show this incident again).

image.png

Upon approval, the actions corresponding to the allowed incident will be added to the allowlist and will appear on the Settings --> Allowlist page.

Add an incident to a denylist

When a script's behavior is not acceptable and should be prevented, the customer can click the relevant incident and choose "Add to denylist (block incident)".

image.png

Upon approval, the actions corresponding to the denied incident will be added to the denylist and will appear on the "Settings --> Mitigation" page.

Updated 7 months ago