Skip to main content
McAfee Enterprise MVISION Cloud

Policy Incidents Page

The Incidents > Policy Incidents page is a central repository of all incidents that have violated Policies. All Services are consolidated in this page, or you can choose to view the violations occurring in just one Service. You can display Policy Incidents data in a Table view, or create a Chart view. It also provides easy access to filters, Saved Views, and allows you to schedule a report, and display policy details with a single click. 

To learn more about an incident, click to view Policy Incident Cloud Cards.

NOTE: This page replaces the Policy Violations page. 

Data Retention Update

The MVISION Cloud default data retention period has changed from 90 days to 100 days. Beginning with MVISION Cloud 5.0.2, the data retention policy (100 days or 12 months, if you purchased the 12-month data retention plan) is applied for the incidents displayed on the Policy Incidents summary and page. As a result, you may see fewer incidents displayed on the Policy Incidents pages compared to previous versions. Policy Incident retention policy is applied using the incident modified date.

Table View

The Policy Incidents page Table view is the default view. 

policy_incidents_page_5.4.2.png

The Policy Incidents page provides the following information and actions:

  • Search.  Search via the Omnibar. You can search for multiple incident IDs by entering a comma-separated query in the Omnibar.
  • Filters. Select options on the Filters tab to scope down your search. 
  • Views. Select the Views tab to use Saved Views created by you or shared with you by another user to reuse specified search parameters from a previous search on current data. 
  • Date Picker. Use the Date Picker to select a preset or custom date range in order to display data from only this date range.
  • Save View. Click to create a Saved View from your search query. 
  • Actions. Click Actions to:
    • Change Owner
    • Change Status
    • Delete Incidents. Select the checkbox(es) for incidents you want to delete. Then click Delete in the confirmation dialog. This action cannot be undone. Large requests may take a few moments to process.
    • Select Response
    • Create Report
      • Business Report (PDF). Create a PDF report and run it immediately, which then appears in the Report Manager
      • CSV. Create a CSV report and run it immediately, which then appears in the Report Manager
      • XLS.  Create an XLS report and run it immediately, which then appears in the Report Manager
      • Schedule. Schedule a report to run at a later time, which then appears in the Report Manager
    • Settings
      • Edit Table Columns. You can edit table columns and save your changes as a Saved View

NOTE: To create a Vulnerabilities Report, see Report - Vulnerabilities

Default table columns include:

  • Severity
  • Policy Name
  • Item Name
  • User Name
  • Incident Created On
  • Incident Response
  • Incident Status
  • Service Name
  • Instance Name

Other available table columns include:

  • Account ID
  • Account Name
  • Activity
  • CIS Level
  • Comments
  • Device ID
  • Device IP
  • Device Managed
  • Device Type
  • Event ID. When an event triggers multiple policies, and incidents are generated, the Event ID links all these incidents. If no Event ID is available, that means the incident was generated before MVISION Cloud 4.4.0, when this feature was introduced. 
  • External Collaborators. Note that after a policy action is performed, modified external collaborators are not shown in the column, only on the Cloud Card. 
  • External Collaborators Count
  • File Size
  • File Type
  • Incident ID
  • Incident Type
  • Incident Updated On
  • Internal Collaborators
  • Item Created On
  • Item Id
  • Item Modified On
  • Item Type
  • Malware Category Name
  • OS
  • Owner
  • Path
  • Quarantine Status
  • Remediation Response
  • Remediation Status
  • Resolution Action
  • Scan Name
  • Scan Run Date
  • Shared Link
  • Source
  • Total Match Count
  • User Agent
  • Vulnerabilities

Sanctioned Attributes. The Policy Incidents table columns may also reflect up to 10 mapped Sanctioned Attributes from Active Directory uploaded by Enterprise Connector. When mapped, you can also search for these Attributes using the Omnibar. But note, if the mapping changes, that will affect what you can see and do with these Attributes. For help mapping AD attributes, contact MVISION Cloud Support

When Multi-Instance Support is enabled, in the main table, the Service Name column is replaced with the Instance Name column, so that you can identify one instance from another. 

NOTE: In the Response column, Archived policy violations do not appear in table results unless you explicitly filter for them in the Omnibar. 

Policy Violation to Sanctioned DLP

On the Policy Incidents Summary and Policy Incidents page, the Incident Type filter label and Omnibar value Policy Violation is changed to Sanctioned DLP. For reports, the CSV and XLXS reports are not affected, however, PDF reports will reflect the new string name as PDF reports capture the screen as displayed.

Filter for Unassigned Incidents

To find incidents that have not been assigned to a user, under the Owner filter, click Unassigned

Filter for Unassigned Resolution Action

To find incidents that have not been assigned a Resolution Action, under the Resolution Action filter, click Unassigned

Policy Incident Cloud Card

Click any incident in the table to see the Cloud Card for that incident. 

NOTE: Some remediation steps require you to execute Microsoft Windows PowerShell commands. For details, see Execute Microsoft Windows PowerShell Commands

policy_incident_cloud_card_5.4.2.png

The Policy Incidents Cloud Card provides the following information:

  • ID
  • Severity
  • Service Name
  • Instance Name
  • Activity
  • Incident Created On
  • Last Updated
  • Last Response
  • User
  • CIS Level
  • Account ID
  • Account Name
  • What You Can Do
  • Owner. Select to assign an owner. 
  • Incident Response. Select to assign an Incident Response. 
    • User Email Notification. Select to send a User Email Notification to the user who caused the incident, select an Incident Status, and click Submit
      incident_response_user_email.png
    • Send Notification to...Select to send a notification to one or more comma-separated Email Addresses. Select the Email Template to use, then click Send Notification
      incident_response_send_notification_3.7.1.png
  • Incident Status. Select to assign an Incident Status. 
  • Resolution Action. Select to assign a Resolution Action. Custom Resolution Actions can be assigned on the Policy > Policy Settings > Incident Management tab. 
  • Content. Click the box arrows to open the details dialog. 
    • Item Name. The Click to Download option may be enabled. Contact Support for more information.  
    • Item Type
    • Path
    • Size
    • Folder ID. Supported for Box DLP incidents. If the violation is a file, it shows the immediate parent folder's ID. If the violation is a folder, it shows the immediate parent folder ID that contains the folder.
    • Item Created On
    • Content Matches Found. Allows you to find matches on content and content metadata such as author name, subject, and comments. For details see Enable Match Highlighting. Contact Support for more information. 
    • Shared Link
  • Collaborators. Click the box arrows to open the details dialog. External and Internal Collaborators are displayed on separate tabs. The collaborators which are not affected by any policy are listed in the  External and Internal Collaborators. To view the affected collaborators, see Modified Collaborators
    policy_incidents_details_collaborators_3.9.1.png
  • Scan.
    • Scan Name
    • Scan Run Date
    • Scan Run History. This option may be enabled to display details on the last five scans. Contact Support for more information. 
      • NOTE: This option is available for AWS only. 
  • Device Information
    • Device IP
  • User Details
    • User Group
      • NOTE: There is a limit of mapping 10 custom attributes and displaying 10 values per custom attribute. 
  • Notes. Enter a note for the incident and click Add. Each note added is visible separately below the Notes field. For notes that you have added, you can Edit or Delete them. For notes written by other users, you may only view them. The default limitation is 10 notes per incidents, and 300 characters per note. To use the Incident Notes feature, you must use your own Data Storage. You cannot use MVISION Cloud Data Storage. For details on configuration, see Data Storage
  • Incident History. Lists any changes made, (such as changed owner, status, response, or notes), the name of the user who made the change, and the time and date that change occurred. 

As an example, the Config Audit Policy Incident details are described below:
clipboard_e607571af680ab829a553953a2fe621d0.png

The Policy Incidents Cloud Card provides an additional option with the MITRE graph:

  • MITRE. Click Full View to view the detected tactics and techniques associated with this incident on the MITRE Dashboard.

Incident Activity Definitions

In the Policy Incident Cloud Card, the possible Activities are defined in the following table. 

Activity Definition
Created A new file or item was created. 
Email An email was sent. 
Enabled Shared Link A file or item was shared by creating a shared link on the item. 
Invited Collaborator Additional collaborators were added to the file or item. 
Message A message was sent on a collaboration application. 
Modified A file or item was modified in the service. 
Object An object in the structured app (such as Salesforce or ServiceNow) was modified. 
On-Demand Scan An On-Demand Scan was performed. 
Post A post in an application such as Chatter in Salesforce was made. 
Role Change of Collaborators The permissions for the collaborators on the file or item were changed. 
Unlocked A service's lock on the file or item was removed. 
Updated Shared Link The shared link on the file or item was updated. 
Uploaded A file or item was uploaded to the service. 

Modified Collaborators

Modified Collaborators shows the list of collaborators whose permissions are modified along with the response action while applying a policy on that collaboration. For example, Revoked Collaborator.

For more information on different collaborators, refer to DLP Policy Rules and Rule Groups.

policy_incidents_modified_collaborators.png

Chart View

To display your Policy Incidents data in a chart, click the Chart icon, under the Omnibar. 

policy_incident_chart_3_6_2.png

To display Policy Incidents data in a chart:

  1. Select an item from the Show list to determine the X-axis of your chart. 
  2. Select an item from the By list to determine the Y-axis of your chart. 
  3. In the Dimension By dialog, select All Data, select Top 10, or select up to 10 items from the list. Then click Done
    policy_incidents_summary_dimensions_3.7.1.png
  4. From the In a list, select the type of chart available: 
    • Trend. Line or vertical bar chart.
    • Breakdown. Donut or horizontal bar chart. 

Your data is displayed in the chart. 

To edit your chart's Dimension By data, click Edit.

  • Was this article helpful?