Using the Incident Timeline Screen

Incident Timeline Screen

The Incident Timeline displays a more detailed view of a specific incident. Like the Incidents List and Incidents Screen, there are a variety of actions a user can take. To view this screen, the user must have Incidents View permissions enabled (See User Roles and Permissions).

Incident Timeline Overview

Button Description
Allows the user to rename the incident.
Allows the user to set a category for a specific incident or Manage categories.
Allows the user to change the incident's message events displayed in the time line. In Filtered mode plugin responses, errors, and notes are displayed. In Verbose mode, all the incident's message events are displayed.
Allows the user to assign the incident to any user in the system with the Manage Incidents permission.
Assigns the incident to the current user. This button is only visible if the incident is not already assigned to the current user.
Marks the current user as a watcher of the incident if they are not currently watching.
Removes the current user as a watcher of the incident if they are currently watching.
If the incident status is not Waiting, this button allows the user to close the incident.
If the incident status is either Close by User or Closed by Flow, this reopens the incident.
Expands the JSON message for easier viewing.
The Message column on top allows navigation between aggregated (related messages grouped together in a single incident) messages.
Allows a user to reinject a message from the timeline.

Message Panel

The message panel on the right allows a user to view the raw JSON message, the Email message as sanitized HTML, or any files associated with the Incident's current message, when available. Additionally next to each file name there are options for File Details, Downloading, and Deleting of the file. A user may be preventing from viewing certain information on this panel via the Restricted Access Fields section of the Categories, Analyses, Incident & Timeline Configuration screen.

Associated Indicators of Compromise

The Associated Indicators of Compromise panel displays all IoCs associated with the specific incident and their trust level, if any exist. For each IoC, there are options to Copy the specific IoC identifier and Search for any other incidents containing the same IoC record.

Add Note

At the bottom of the page there is an input field for adding notes to the incident. The field supports GitHub Flavored Markdown (GFM) for entering richly formatted information.

Note Entry

Keyboard Shortcuts

There are various keyboard shortcuts for the incident timeline including one for navigating between incidents timelines. To view keyboard shortcuts press ?.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.