: What is an Incident?
Focus
Focus
Table of Contents

What is an Incident?

Data Security
identifies and sets the state and category for each incident discovered during the scanning of your assets.
Incidents are triggered by
explicit
policies. An incident isn't the same as a data violation.
Data Security
identifies incidents when it finds noncompliance with asset rules—whether default rules or custom rules—and security controls. The service detects these incidents by scanning all assets in your managed SaaS applications and matches the file and folder metadata, associated collaborators, and the content of the files against your active policy rules or the configuration.
An asset can trigger both an incident and a data violation.
For each incident, you can determine whether it indicates a regulatory noncompliance, or if it compromises the security of your proprietary data or intellectual property.
Examples of incidents include:
  • AWS keys that have not been rotated in 3 months.
  • Files that WildFire classified as malware.
  • Passwords that don't meet the minimum complexity requirements.
  • A document or folder containing sensitive data (such as credit card or social security numbers, secret code names, or source code) shared with an external user or contains a public link.
  • Assets users have shared with external domains or collaborators or are directly accessible through a public link or vanity URL.
  • Forwarding a corporate email containing sensitive data to a personal email domain.
Data Security
enables you to assess and resolve such incidents, which include the following default
Open
and
Closed
categories:
You can't delete, or rename default or custom categories.
Incident State
Incident Category
Open
Data Security
automatically assigns all incidents as
New
and needs assessment. You can't manually assign an incident from another state to
New
.
The incident has been
Assigned
to another administrator. To Assign Incidents to Another Administrator, select an admin from
Assigned To
.
The incident investigation is
In Progress
, but not closed. The assigned administrator is actively working to assess and resolve the incident.
Pending
action to take place before you can assess, investigate, or remediate the incident. Action can be information from an asset owner or a dependency on another stakeholder in your organization.
Closed
No Reason
found for the reported incident.
Business Justified
because an asset owner’s job responsibilities necessitate the specific user behaviors identified in the policy or because the incident was triggered as part of the testing you performed in the process of fine-tuning your policies.
Misidentified
as a data pattern match or policy violation.
When an asset changes such that a policy violation no longer exists,
Data Security
closes the incident and assigns
In The Cloud
. You can't manually assign an incident from another state to
In The Cloud
.
When an asset is quarantined during automatic remediation,
Data Security
resolves this incident and assigns
Aperture
. You can't manually assign an incident from another state to
Aperture
.
Data Security
was originally named Aperture. However, the SaaS Security web interface maintains this status to support any incidents with this status.

Recommended For You