000033491 - Incident Status field and Aggregation in SecOps solution 1.x

Document created by RSA Customer Support Employee on Jul 6, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033491
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.X
Platform: Windows
IssueAggregation of Security Alerts to Security Incidents stops functioning. Each Security Incident created only has 1 Security Alert and 1 Security Event.
CauseIncident Status field Values List in the Security Incident application was customized. A calculation was added to make the default value something other than "New."
SecOps solution is designed to continue to aggregate Alerts to Incidents as long as the Incident is in a "New" status. If the Incident is no longer in a "New" status this triggers a new Security Incident to be created.
ResolutionEnsure that the default value of the Incident Status field is always "New".