Incidents policy

Created:
August 17, 2023
Updated:
October 18, 2024

The incidents policy defines when an incident is triggered. When an event occurs, findings are discovered, and those findings are assigned to a severity category. The incident policy sets out the minimum number of findings within a severity category that is needed to trigger an incident. The following are the severity categories:

  • Information
  • Low
  • Medium
  • High
  • Critical 

Each severity category is independent of the other, meaning that if the minimum number is reached in one of the severity categories then an incident is triggered. The minimum number does not have to be reached in all categories. For instance, if you set an amount of 10 High, then if a minimum of ten findings with a status of high are discovered in an event an incident is triggered. Or, if you set an amount of 3 Critical, then if a minimum of three findings with a status of critical are discovered in an event an incident is triggered, regardless of the parameters set in the other severity categories.

Note: Setting a severity amount to zero disregards that severity when deciding if an incident is triggered. For instance, if you set the number of medium severity findings to zero and an event discovers one or more medium severity findings, an incident will not be triggered (an incident will be triggered from that event if other findings are discovered that match the minimum requirement of a severity category).

Create an incident policy

1. Navigate to Posture Management in the FireTail platform and select the Incidents Policy tab to view the incidents policy.

2. Click Create Incident Policy.

3. Give the policy a Name.

4. In the Frequency field select a value from the dropdown. The frequency indicates how often the policy is checked to see if an incident should be triggered.

5. Select a value from the Period field. This sets the period of time of how far back the policy check goes.

6. Enter the minimum amount of findings into the required severity categories.

7. Notification Integration - Select the method in which you will receive your incident notification. Select a previously created integration from the dropdown, or click Create to create a new integration. Learn how to Customize notifications.

8. (Optional) Click Filters to apply to the incident policy. Filters available are:

  • API - the incident policy will be applied to the selected API or APIs.
  • App - the incident policy will be applied to the selected App or Apps.
  • Code - select a specific finding or findings.
  • Type - this the type of finding.
    • API design based finding.
    • Actions based finding.
    • Log based finding.
    • Cloud configuration based finding.

9. Click Confirm.

Related topics