This procedure is helpful when an analyst wants to browse through various alerts, select the required alerts to group them, and create an incident to include the selected alerts.
Note: Incidents can be created manually or automatically. An Alert can only be associated with one Incident. For automatic creation of incidents you have to create aggregation rules that would analyze the alerts collected and group them into incidents automatically depending on which rules they match. For details, see Create an Aggregation Rule.
To create an incident manually:
In the Security Analytics menu, select Incidents > Alerts.
The All Alerts view is displayed.
Select one or more alerts in the alert details view in the right hand bottom half of the page
Note: Only when you select alerts that have no Incident ID mentioned, the Create an Incident option is enabled, else it is disabled if the alert is already part of an incident. You can filter alerts that are not part of any incident by selecting the option Part of an Incident as No in the options panel.
Click Create an Incident.
The Create Incident dialog is displayed.
- Provide the following information:
Name - Type a name to identify the incident.
Summary - (Optional) Type a description for the incident.
Assignee - (Optional) Select a assignee to whom the incident is assigned.
Categories - (Optional) Select one or more categories to which the incident belongs.
Priority - Select a priority for the incident from the options Critical, High, Medium, or Low displayed in the drop-down list.
The incident is saved and displayed in the Incidents > Queue > All Incidents view.
Note: If you assign the incident to yourself, the incident will be saved and displayed in the Incidents > Queue > My Incidents view.