Incident Management: Process

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Jul 27, 2016
Version 2Show Document
  • View in full screen mode

Security Analytics Incidents module collects alerts from multiple sources and provides the ability to group them logically and start an Incident response workflow to investigate and remediate the security issues raised. Security Analytics Incidents module allows you to configure rules to automate the aggregation of Alerts into Incidents.  Alerts will be normalized by the system to a common format to provide users with a consistent view for the rule criteria regardless of the data source. You can build query criteria based on the alert data with the ability to query on fields that are common as well as specific to data sources.

The rule engine allows you to group similar alerts together into an Incident so that the investigation and remediation workflow can be shared across a set of similar alerts. You can create rules that can group alerts into incidents depending on a common value they share for one or two attributes (for example, source hostname) or if they are reported within a limited time window (for example, alerts that are within 4 hours of each other). 

If an alert matches a rule, an incident is created using the criteria. As new alerts are ingested, if an existing Incident was already created that matched those criteria, and that incident isn't "in progress" yet, the new alerts will continue to be added to the same incident.  If there is no existing incident for the grouped value (for example, the specific hostname) or the time window, a new incident will be created and the alert will be added to it. 

You can have multiple aggregation rules. The rules can either group alerts into Incidents or suppress alerts from being matched by any rule, hence the rules are ranked top-to-bottom and only the first rule to match an incoming alert is be used to include that alert in an incident. The Incidents provide a context for the alerts, provide tools to record the investigation status, and track the remediation progress.

Various stages in the Incident Management process are:

  • Review Alerts
  • Manage Incidents
  • Automate Incident Management process
  • Track the incident response through
    • Security Analytics UI
    • a third party helpdesk system
    • RSA Archer Breach management 

Incident Management Workflow Diagram

The figure depicts the incident management workflow process.


The Incident Management View

In Security Analytics menu, select Dashboard > Incidents. The various sections of the Incidents module are displayed.

The following figure depicts the Incidents module displayed in the Security Analytics user interface.


  1. Queue -  In the Incident Queue you can see a list of all incidents assigned and unassigned. You can filter incidents, view incident details, investigate incidents and track them to closure.
  2. Alerts - In the Alerts view you can see a list of alerts collected from various sources. You can browse through various alerts, filter them, and group them to create incidents.
  3. Remediation - In the Remediation view, you can see a list of all remediation tasks created for various incidents. You can manage and track the remediation tasks, and push them to helpdesk if required and track the incident to closure.
  4. Configure - In the Configuration view you can configure notification settings, third party system integration for incident management, set up aggregation rules to automate the incident management work flow for automatically creating incidents.
You are here: Incident Management Process