Incidents Classification Workflow

Description

Incidents can go through several phases:

• Unclassified - the initial state of each new incident. The incident is considered unclassified until it's moved to Under Review, or added to either the Allow list or Denylist. Unclassified incidents appear in the "Unclassified incidents" tab on the dashboard.
• Under Review - An optional state in which the incident can be marked for further inspection to better assess whether its behavior is acceptable and should be allowed (i.e. be moved to the Allow list) or should be prevented (i.e. be moved to the Deny list). Under Review incidents appear in the Incidents under review tab.
• Classified - The incident has been added to either the Allow list or Deny list, and is no longer shown on the Dashboard.

The Unclassified incidents tab displays only incidents that have not yet been classified.

The Under review incidents tab, displays incidents that are currently being reviewed.

Workflow

Move an Incident to Under Review

When a script's behavior should be verified by a specific individual or team, the customer should click the relevant incident and choose Move to Incidents under review:

The Move to Incidents under review dialog window opens.
The customer can tag/label the incident, as well as share it to the relevant person or team via pre-configured integration channels (create a new JIRA, send a Slack message or an email).

Choosing a label or creating a new one. Any new label is saved for future use:

Choosing from an existing integration:

When no integrations are configured, the customer can click Create your first integration to configure a new integration.

When ready, the customer can click the Move to Under review & share button.
The incident will be marked and can now be found in the Incidents under review tab.
The specific labels and shared channels of the incident are displayed under the Under review column in the Incidents Per Host Domain table (or Incidents Per Application table, if Application View is selected on the top).

Once the inspection is complete and there's a better understanding of the specific script’s behavior, the incident can safely be allowed or denied.

Add an incident to an allowlist

When a script's behavior is known and acceptable, the customer should click the relevant incident and choose Add to allowlist (don't show this incident again).

Upon approval, the actions corresponding to the allowed incident will be added to the allowlist and will appear on the Settings --> Allowlist page.

Add an incident to a denylist

When a script's behavior is not acceptable and should be prevented, the customer can click the relevant incident and choose "Add to denylist (block incident)".

Upon approval, the actions corresponding to the denied incident will be added to the denylist and will appear on the "Settings --> Mitigation" page.