Security Analytics Incident Management consumes Alert data from various sources via the Message Bus and displays these alerts on the Security Analytics User Interface. The Incident Management service allows you to group the alerts logically and start an Incident response workflow to investigate and remediate the security issues raised.
The Incident Management service consumes alerts from the message bus and normalizes the data to a common format (while retaining the original data) to enable simpler rule processing. It periodically runs rules to aggregate multiple alerts into an incident and set some attributes of the Incident (for example, severity, category, and so on). The incidents are persisted into MongoDb by the Incident Management service. Incidents are also posted onto the message bus for consumption by other systems (for example, Archer integration).
Note: Alert records are persisted in MongoDb by the Incident Management service. In 10.4 and above, the instance of MongoDb is installed on one of the ESA hosts. ESA is a required component for Incident Management.
The following figure illustrates a high level data flow diagram:
You have to configure various sources from which the alerts are collected and aggregated by the Incident Management service.