Skip to main content

Incidents (Beta)

Updated

What are Incidents?

Incidents are a new way to see connections between your alerts. When Qevlar finds that multiple alerts are related to the same underlying threat, it automatically groups them into a Incident, giving you a single view of the bigger picture.

For example, if an attacker is targeting several employees with the same phishing infrastructure, or suspicious file activity is recurring across the same host, Qevlar will group those alerts together so you can understand the full scope of the threat without having to piece it together manually.

Each alert in a Incident still receives its own individual investigation. Incidents add a layer on top, showing you which alerts belong together and why.

Incidents Investigation View.png

Where to Find Incidents

Navigate to the Investigations page and select the Incidents (Beta) tab. Here you will see a list of detected Incidents, each showing:

  • A descriptive title summarising the grouped activity
  • The severity levels and number of alerts in the Incident
  • The time range across which the alerts occurred
  • The client affected

Click Review on any Incident to open the detail view, which includes a summary of the detected activity and the full list of alerts that belong to the Incident.

Incidents List.png

Features

Incident Severity Score

Each incident is assigned a severity score that represents the threat's priority. The score is calculated using the following inputs:

  • Qevlar Alert Severities for all alerts forming the Incident
  • Threat prevention/mitigation status; score is downgraded if all alerts have been mitigated (blocked, quarantined etc.)
  • Reach; score is upgraded if a high number users or devices are impacted
  • Engagement; score is upgraded if a user or device interacts with the threat e.g user clicks on URL
  • Time between alerts:
    • Velocity: if multiple malicious alerts cluster into a short period (for example more than 5 alerts in 1 hour), these are treated as as increased urgency and likely ongoing or automated activity.
    • Span: if related malicious alerts extend across prolonged period of time, threat is treated as persistent and potentially a low and slow attack; thereby increasing the score
    • Recency: used to infer whether an incident is still active; scores are not downgraded simply because there's older associated activity 

Severity Levels

Incident severity scores should be interpreted as follows:

  • INFORMATIONAL: noise, benign findings, or no meaningful security impact.
  • LOW: limited scope, low risk, or early-stage threat activity with no confirmed harm.
  • MEDIUM: meaningful malicious activity or exposure, contained scope or mitigated impact.
  • HIGH: significant malicious activity, sensitive assets at risk, or active compromise indicators.
  • CRITICAL: organization-wide or business-critical impact, confirmed major breach, ransomware,
    or imminent large-scale harm.

Early Access: What to Expect

Incidents is currently in Beta. This means:

  • The feature is live and available for you to explore in the UI only
  • It is still in the early stages of development and therefore may have a few issues and bugs
  • Incident groupings may not always be perfect. You may see alerts grouped together that shouldn't be, or notice that related alerts are missing from an Incident.
  • We are actively improving the grouping logic based on real world usage and your feedback.
  • We will later add availability via the API

How to Provide Feedback

Your feedback is essential to improving Incident groupings. On every Incident detail page, you will find a Feedback option that lets you tell us whether the grouping is correct.

When you submit feedback, select all the reasons that apply:

  • Real Incident — The Incident is valid and these alerts are correctly grouped together.
  • Not a real Incident — These alerts are unrelated and should not be grouped together.
  • Missing alerts — There are additional related alerts that should be part of this Incident but are not included.
  • Contains unrelated alerts — Some alerts in this Incident do not belong here.
Incidents Feedback.png

You can also add additional context in the free text field, for example specific Alerts that should be included or removed, or an explanation of why certain alerts do or do not belong together.

In addition to providing Incident level feedback via the "Review" button, you can also tell us which individual alerts belong to an Incident by selecting the ✅❌ options within the Incident Alerts table. 

Incident alert feedback.png

We review every piece of feedback to improve how Incident and grouped. The more detail you can provide, the faster we can refine the experience.

 

 

Related articles