Incident Overview

Incident Overview

The TSFA Incident Overview provides a centralized view of all TSFA Security incidents detected across your fleet. It enables administrators to monitor and export events efficiently from a single, organized workspace. To access this feature , got to Device Insights > TSFA Security.

About Incidents

Incidents provide visibility into events detected on devices. They are derived from device-generated events and are used for monitoring, analysis, and historical tracking.

In ThinkShield Firmware Assurance (TSFA), each incident, issue, or event is assigned a severity level that indicates its importance and helps prioritize actions for the affected device. The severity level is based on the event’s type and status. Events classified as normal are considered current and do not appear on the Incident page.

Relationship to events
TSFA devices continuously generate events. These events are:
  1. Processed to determine device security posture
  2. Surfaced as security incidents for visibility and reporting
Info
Security incidents do not affect how security posture is calculated. Posture is determined directly from event evaluation.


All Incidents Tab

The All incidents table displays current incidents with detailed information. 

Severity scale: 

  1. Normal: Expected event; not an incident; no action required.
  2. Low: Unexpected incident with minimal impact.
  3. Moderate: Unexpected incident with higher impact; also, the default for new or unknown events/statuses.
  4. High: Unexpected, serious issues; by default, includes intrusions and security violations.
The Summary column shows, for each incident, one of the event detail attributes. For more information, see Security Event Log Reference.

Incident Tray

Selecting an incident from the list displays the Incident tray on the right side of the screen. The tray shows key information about the incident, along with a detailed log.

Use the three-dot menu  to access the Inspect Device feature. Selecting this option takes you to LDO > Device Insights, where a detailed view of the selected device is displayed. For more information, see About Inspect Device.

Prevalence Incidents Tab

TSFA uses a prevalence model to identify rare device events across your fleet, such as unusual firmware updates, BIOS password changes, or long-inactive devices, highlighting potential risks that may require manual verification.

The model runs nightly, analyzing the previous day’s activity. It calculates event frequency across the fleet and classifies incidents as low frequency based on your organization’s thresholds. Only low-frequency events—those affecting a small percentage of devices—are flagged and displayed.
Only events identified as low frequency—those occurring on a small percentage of devices—are flagged and displayed.

Within Prevalence Incidents, you will find three sub-tabs:
  1. Last 24 Hours
  2. Last 7 Days
  3. Last 30 Days
Each sub-tab displays incidents that were flagged as low frequency within the selected timeframe. For more information, see Setting Up Prevalence Incident Thresholds in TSFA Settings.

Incident Prevalence Widget on Dashboard

This widget provides a quick summary of prevalent incidents. Fo rmore information, see Using the Dashboard in TSFA. 

Using Filters

Filtering the List by Severity Level

To filter by severity, click the arrow next to Severity and select the checkbox for the severity level.
Enter the name of a device or group.

Using the Filter  

  1. Select a filter criteria from the left pane, then refine your selection in the right pane.
  2. Click Show results.

Filtering by Incident Type

To filter by type of incident, click the small down arrow next to Incident type and select a check box.

Exporting a List of Incidents

To export a list of incidents in .CSV format:
  1. Click the Export icon
  2. Click Yes to confirm. 
  3. Save the file to your computer.




    • Related Articles

    • TSFA Settings

      Managing Incident Severity and Notifications Settings are available for Org Admins and IT Admins under Configurations & Settings > Organization Settings > TSFA Settings. It allows to customize alert preferences by incident severity: Low and higher, ...

    • Using the Dashboard in LDO

      The Dashboard is the home page of Lenovo Device Orchestration, providing an at-a-glance overview of the devices in your organization and related information. It consists of multiple widgets, each representing a different category of device ...

    • Device Status and Security Posture

      Device Status Device status indicates whether a device can be onboarded and used by TSFA. It reflects the device’s provisioning state and compatibility, not its security condition. Depending on its status, a device may be fully operational, require ...

    • Security Event Log Reference

      This document provides a structured overview of key security-related incidents logged by ThinkShield Firmware Assurance. Events are categorized based on their nature, severity, and potential impact. Each event includes a brief description, its ...

    • Overview of the Home Page

      Home Page When you log into the application, the Lenovo device Orchestration Home page displays a Dashboard which offers a quick overview of your organization’s devices and relevant details. In the top left corner of the page, next to the software’s ...