Create a rule for an Incident Status


Article ID: 171345


Updated On:


Information Centric Analytics Data Loss Prevention Core Package


Use an Incident Status to impact a Risk Vector and a Risk Score by creating a Rule that is associated to a status.


Why would we add a rule to an Incident Status?

Adding a rule to an Incident Status will provide the machine learning and behavior analytics processes better review and it will learn from actioned incidents.  For example, if you have a rule configured for the Incident Status of Escalate that says if the Reason selected is 'Data is customer's own information' then the incident is marked with a Classification of Acceptable and Mitigation value of Mitigated.  Providing the values for either Classification or the Mitigation will do two things. 

1) It will save the end user time during the incident review process since they will not have to click on the Classify or the Mitigate buttons and select a value.  The DIM Remediation Action button selected where the status of Escalate was selected will do that for them. 

2) It provides more information when evaluating the DIM incidents to either include incidents or exclude incidents as part of the Risk Scoring process and evaluation of the Risk Vectors.


How do we add a rule to an Incident Status?

1) Go to Admin Settings -> Incident Settings

2) Find the Statuses section

3) Either click Create Status for a new status or select the edit icon next to an existing status

4) Select the default value for Classification and Mitigation for when the selected status is used

5) Click New Rule under Attribute Rules

6) Select whether you want to create a rule based on the selected Reason value or Resolution value

7) Select a value that will trigger the rule

8) Select a value for either Classification or Mitigation or both

9) Click Apply

Repeat the steps above for other combinations of Reason/Resolution options, Reason / Resolution values, and Classification and Mitigation values.