Incident Timeline Screen
The Incident Timeline displays a more detailed view of a specific incident. Like the Incidents List and Incidents Screen, there are a variety of actions a user can take. To view this screen, the user must have Incidents View permissions enabled (See User Roles and Permissions).
Incident Timeline Overview
|Allows the user to rename the incident.
|Allows the user to set a category for a specific incident or
|Allows the user to change the incident's message events displayed in the time line. In
Filtered mode plugin responses, errors, and notes are displayed. In
Verbose mode, all the incident's message events are displayed.
|Allows the user to assign the incident to any user in the system with the Manage Incidents permission.
|Assigns the incident to the current user. This button is only visible if the incident is not already assigned to the current user.
|Marks the current user as a watcher of the incident if they are not currently watching.
|Removes the current user as a watcher of the incident if they are currently watching.
|If the incident status is not
Waiting, this button allows the user to close the incident.
|If the incident status is either
Close by User or
Closed by Flow, this reopens the incident.
|Expands the JSON message for easier viewing.
|The Message column on top allows navigation between aggregated (related messages grouped together in a single incident) messages.
|Allows a user to reinject a message from the timeline.
The message panel on the right allows a user to view the raw JSON message, the Email message as sanitized HTML, or any files associated with the Incident's current message, when available. Additionally next to each file name there are options for File Details, Downloading, and Deleting of the file. A user may be preventing from viewing certain information on this panel via the Restricted Access Fields section of the Categories, Analyses, Incident & Timeline Configuration screen.
Associated Indicators of Compromise
The Associated Indicators of Compromise panel displays all IoCs associated with the specific incident and their trust level, if any exist. For each IoC, there are options to Copy the specific IoC identifier and Search for any other incidents containing the same IoC record.
At the bottom of the page there is an input field for adding notes to the incident. The field supports GitHub Flavored Markdown (GFM) for entering richly formatted information.
There are various keyboard shortcuts for the incident timeline including one for navigating between incidents timelines. To view keyboard shortcuts press