Fortinet black logo

User Guide

Incident Hub

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:693311
Download PDF

Incident Hub

The Incident Hub provides teams with a single location to view and manage incidents. A main component of the Incident Hub, by default, shows all of the active incidents in your infrastructure. This can be further refined by using filters.

From this page, you can:

These are further detailed in their respective sections below.

To go to the Incident Hub, select Incidents > All Incidents from the navigation menu.

Filter incidents

When you open the page, only the active incidents are displayed. You can scope the results to specific incidents using a variety of filtering options.

These filters are described in the following table.

Filter

Description

Time Range

Filter the results by time range.

Values:

  • All Incidents

  • Last 15 minutes

  • Last hour

  • Last 24 hours

  • Last 30 days

  • Custom

Duration

Filter the results by how long an incident has been occurring.

Values:

  • > 2 minutes

  • > 5 minutes

  • > 15 minutes

  • > 60 minutes

Status

Filter the results by the current status of an incident.

Values:

  • Active

  • Resolved

  • Both

Groups

Filter the results by instance group. Clicking the Groups filter will provide you with a list of all the instance groups in your infrastructure. Select a single group or All servers.

Metrics

Filter the results by metric. Click the Metrics filter to select or more metrics to include in the results.

Incident Tags

Filter the results by Incident Tags.

Instance Tags

Filter the results by Instance Tags.

Severity

Filter the results by severity:

Values:

  • Critical

  • Warning

CounterMeasures Only

Clicking the CounterMeasures filter will only include incidents with active CounterMeasures.

Ack'd

Filter by acknowledging user or by acknowledge status.

Values:

  • Is

  • Is not

  • Is Ack'd

  • Is Unack'd

Lead

Filter by incident lead or by lead assignment status.

Values:

  • Is

  • Is not

  • Is Assigned

  • Is Unassigned

To remove a filter, click x on the name of the applied filter. You can also clear all the filters you applied and revert back to the default (show only the active incidents) by clicking Clear Filters.

View incident details

Opening or clicking an incident ID opens the incident's details page which shows relevant information that can help you find the root cause of an incident and track its status. See View incident details for more information.

Acknowledge an incident

Acknowledging an incident marks the incident with your username and also sets you as the Incident Lead. The following additional options are available:

  • Change the Incident Lead

  • Add a message to the incident log

  • Send a message to all configured users and integrations in the Alert Timeline

  • Delay further alerts for a set amount of time

  • Cancel all alerts

For more information, see Respond to an incident and delay further alerts.

To acknowledge one or more incidents, select the checkbox of the incident or incidents then click Acknowledge.

You can also acknowledge a single incident by clicking the Acknowledge icon of an incident as shown below.

Set an Incident Lead

The Incident Hub makes it easier for you to see which incidents a team member is working on and which incidents are currently unassigned. Assigning an incident to a team member designates that team member as the Incident Lead. Also, note that the user who acknowledges an incident is automatically assigned as the Incident Lead.

To set an Incident Lead, perform the following steps:

  1. Select the Incident Lead icon of the incident that you want to assign.

  2. Select a FortiMonitor user to designate as the Incident Lead.

Start a maintenance

To start maintenance on one or more affected instances, perform the following:

  1. Select the checkbox of the incident or incidents then click Schedule Maintenance.

  2. From the options, select Immediate or Custom.

You can also start maintenance on a single incident by clicking the Schedule Maintenance icon of an incident as shown below.

View Incident Solutions

Incident Solutions provide a mechanism to document and disseminate the steps taken to respond to an incident, including details captured during triage and diagnosis phases and the steps to ultimately resolve the incident. For more information, see Incident Solutions.

Switch between Master tenant and Cross-tenant views

This option is for Multi-tenant accounts only.

If you are on a Master tenant account, you have the option to view and act on all of the incidents across your sub-tenants by selecting Cross-Tenant View.

Perform other actions

Additional actions can be performed on one or more incidents by clicking the 3-dot menu. These actions are detailed in the following table.

Action

Description

Escalate CMs

Immediately execute the next CounterMeasure action, bypassing the configured delay.

Delay CMs

Delay the next CounterMeasure action for a specified amount of time.

Escalate alerts

Immediately send an alert based on the next event, overriding the configured amount of time in the Alert Timeline.

Delay alerts

Postpone the next event on the Alert Timeline for a specified length of time.

Cancel alerts

Cancel succeeding alerts. No further alerts will be sent.

Exclude from Availability

Exclude one or more incidents from availability calculation.

Incident Hub

The Incident Hub provides teams with a single location to view and manage incidents. A main component of the Incident Hub, by default, shows all of the active incidents in your infrastructure. This can be further refined by using filters.

From this page, you can:

These are further detailed in their respective sections below.

To go to the Incident Hub, select Incidents > All Incidents from the navigation menu.

Filter incidents

When you open the page, only the active incidents are displayed. You can scope the results to specific incidents using a variety of filtering options.

These filters are described in the following table.

Filter

Description

Time Range

Filter the results by time range.

Values:

  • All Incidents

  • Last 15 minutes

  • Last hour

  • Last 24 hours

  • Last 30 days

  • Custom

Duration

Filter the results by how long an incident has been occurring.

Values:

  • > 2 minutes

  • > 5 minutes

  • > 15 minutes

  • > 60 minutes

Status

Filter the results by the current status of an incident.

Values:

  • Active

  • Resolved

  • Both

Groups

Filter the results by instance group. Clicking the Groups filter will provide you with a list of all the instance groups in your infrastructure. Select a single group or All servers.

Metrics

Filter the results by metric. Click the Metrics filter to select or more metrics to include in the results.

Incident Tags

Filter the results by Incident Tags.

Instance Tags

Filter the results by Instance Tags.

Severity

Filter the results by severity:

Values:

  • Critical

  • Warning

CounterMeasures Only

Clicking the CounterMeasures filter will only include incidents with active CounterMeasures.

Ack'd

Filter by acknowledging user or by acknowledge status.

Values:

  • Is

  • Is not

  • Is Ack'd

  • Is Unack'd

Lead

Filter by incident lead or by lead assignment status.

Values:

  • Is

  • Is not

  • Is Assigned

  • Is Unassigned

To remove a filter, click x on the name of the applied filter. You can also clear all the filters you applied and revert back to the default (show only the active incidents) by clicking Clear Filters.

View incident details

Opening or clicking an incident ID opens the incident's details page which shows relevant information that can help you find the root cause of an incident and track its status. See View incident details for more information.

Acknowledge an incident

Acknowledging an incident marks the incident with your username and also sets you as the Incident Lead. The following additional options are available:

  • Change the Incident Lead

  • Add a message to the incident log

  • Send a message to all configured users and integrations in the Alert Timeline

  • Delay further alerts for a set amount of time

  • Cancel all alerts

For more information, see Respond to an incident and delay further alerts.

To acknowledge one or more incidents, select the checkbox of the incident or incidents then click Acknowledge.

You can also acknowledge a single incident by clicking the Acknowledge icon of an incident as shown below.

Set an Incident Lead

The Incident Hub makes it easier for you to see which incidents a team member is working on and which incidents are currently unassigned. Assigning an incident to a team member designates that team member as the Incident Lead. Also, note that the user who acknowledges an incident is automatically assigned as the Incident Lead.

To set an Incident Lead, perform the following steps:

  1. Select the Incident Lead icon of the incident that you want to assign.

  2. Select a FortiMonitor user to designate as the Incident Lead.

Start a maintenance

To start maintenance on one or more affected instances, perform the following:

  1. Select the checkbox of the incident or incidents then click Schedule Maintenance.

  2. From the options, select Immediate or Custom.

You can also start maintenance on a single incident by clicking the Schedule Maintenance icon of an incident as shown below.

View Incident Solutions

Incident Solutions provide a mechanism to document and disseminate the steps taken to respond to an incident, including details captured during triage and diagnosis phases and the steps to ultimately resolve the incident. For more information, see Incident Solutions.

Switch between Master tenant and Cross-tenant views

This option is for Multi-tenant accounts only.

If you are on a Master tenant account, you have the option to view and act on all of the incidents across your sub-tenants by selecting Cross-Tenant View.

Perform other actions

Additional actions can be performed on one or more incidents by clicking the 3-dot menu. These actions are detailed in the following table.

Action

Description

Escalate CMs

Immediately execute the next CounterMeasure action, bypassing the configured delay.

Delay CMs

Delay the next CounterMeasure action for a specified amount of time.

Escalate alerts

Immediately send an alert based on the next event, overriding the configured amount of time in the Alert Timeline.

Delay alerts

Postpone the next event on the Alert Timeline for a specified length of time.

Cancel alerts

Cancel succeeding alerts. No further alerts will be sent.

Exclude from Availability

Exclude one or more incidents from availability calculation.