Skip to main content
Version: 5.3

Incident Card Overview

This article describes the structure and capabilities of the incident card.

General Description

Data in the card is divided into several sections (blocks). Below is a card with all possible blocks displayed: Card global

The following provides a detailed breakdown of each block.

Main Block and Metadata

The main block contains:

  • Description
  • Additional Fields - fields from the search query
  • Details - fields from the incident card

If Inventory Module Integration is configured for the incident's additional fields, assets linked to the incident will be displayed in the main block as cards.

For example, below shows the main information block with Inventory linkage by ID field (with two values), where each value has a corresponding asset:

The Metadata block displays:

  • Incident ID
  • Name of the rule that generated the incident
  • Incident creation time
  • Additional information - list of notes mentioning this incident

Example of the Metadata block:

Inventory and Mitre ATT&CK Blocks

If Inventory Module Integration is configured for the incident's additional fields, assets linked to the incident will be displayed not only in the main block but also in the Inventory block - also as cards:

The Mitre ATT&CK block contains data about the linked Mitre object, if one exists:

This block is a table that is empty by default for incidents. Using the Add button, you can populate this table with data from another incident. Addition occurs by ID.

Table of related incidents

Incident linking works bidirectionally: the linked incident will also show a reference to the incident it's connected to.

If this functionality isn't needed, it can be disabled in the Module Settings section by turning off the Display in the Incident Card setting for the Related Incidents field:

History Block

The history tracks incident changes such as:

  • status changes
  • field modifications during editing
  • comments

img

Comments support markdown formatting.

To change an incident's status, click the status button and select the desired transition from the dropdown list.

Filters

The top section of the history block contains filters that allow selecting which data will be displayed:

Events — shows which fields or statuses were changed.

History block filtered by Events

Comments — displays added comments.

History block filtered by Comments

Actions — allows viewing the results of executed active actions (scripts).

History block filtered by Active Actions

By default, all filters are turned off, and all actions are displayed in the block. The filters are not mutually exclusive, so multiple filters can be used simultaneously to select the required data.

History block filtered by multiple filters

A number is displayed next to each filter's name — this indicates the count of records that would be hidden if that specific filter is applied.

Filters

Add Comment

Adding a comment is done within the history block. To do this, click on the input field Add a comment..., located below the filter row.

Add a comment

After clicking, a text editor for adding a comment will open.

Markdown editor for adding a comment

The comment text editor has the following functions:

  • Selecting Headers — a dropdown menu allows choosing the header level
  • Text Formatting — bold, italic, text color, decoration (underline, strikethrough, superscript/subscript)
  • Lists — bulleted, numbered
  • Inserting Links — allows adding a link to the selected text via a dialog window or directly
  • Code Blocks — supports inserting formatted code blocks
  • Tables — creating and editing tables, including inserting and deleting rows and columns

At the bottom of the editor, there is a display mode toggle that allows switching to a text editing mode. In this mode, you can manually edit the Markdown text. This enables adding specific Markdown formatting features not represented by buttons in the visual editor.