Creating a new incident

Follow the steps below to configure new incident profiles:

• Click the Endpoint Security tab. Go to Configuration > Settings > Incident Configuration.
• Click Create Incident in the top-right corner.
• Name the incident profile and include an appropriate description.
• Choose the source and severity level of the incident.

Tip: Choose a Source based on the endpoint you want to monitor.

• In the Criteria section, add filters as desired.

  Example: o report on all instances of sensitive data copied to USB devices in your environment, choose:

  • Users: All
  • Actions: Move
  • File Classification: Restricted and Confidential
• Use the Exclude option to exempt trusted users, groups, or files from that particular report.

Note: Configuration based on exclusion has higher priority than inclusion.

• Select Enable Threshold and specify the desired threshold value (e.g., "10 files moved in one minute").
• Choose the appropriate response strategy from the options available (e.g., "Block USB").
• Click Save.

Tip: You can globally exclude admin groups and other trusted entities from reports, alerts, and incidents by following these steps.