Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Add Events to an Incident Dialog

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 26Show Document
  • View in full screen mode
 

In the Add Events to an Incident dialog, analysts can add alerts to an existing incident so that incident responders look at the associated events as part of an incident response. To access this dialog while investigating a service in the Events view and the Legacy Events view, see Add Events to an Incident in the Events View and Add Events to an Incident in the Legacy Events View.

Workflow

high-level workflow for Create Incident dialog

What do you want to do?

                                                               
User RoleI want to ...Show me how

Incident Responder or Threat Hunter

review detections and signals seen in my environment

NetWitness Platform Getting Started Guide

Incident Responder

review critical incidents or alerts

NetWitness Respond User Guide

Threat Hunterquery a service, metadata, and time range

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

view metadata

Filter Results in the Navigate View

Drill into Metadata in the Events View (BETA)

Threat Hunter

view sequential events

Filter Results in the Events View

Filter Results in the Legacy Events View

Threat Hunter

reconstruct and analyze an event

Examine Event Details in the Events View

Reconstruct an Event in the Legacy Events View

Threat Hunterexamine files and associated hosts

Download Data in the Events View

Export or Print a Drill Point in the Navigate View

Export Events in the Legacy Events View

Threat Hunterperform lookups

Look Up Additional Context for Results

Launch a Lookup of a Meta Key

Threat Huntercreate an incident or add to an incident*

Add Events to an Incident in the Legacy Events View

Add Events to an Incident in the Events View

Threat Hunter

add a meta value to a Context Hub list

Look Up Additional Context for Results

*You can perform this task in the current view.

Related Topics

Quick Look

The following figure is an example of the Add Events to an Incident dialog in the Legacy Events. The table describes the information and options in the Add Events to an Incident dialog .
This is the Add Events to an Incident dialog

                                           
FeatureDescription
Alert SummaryThe Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident. The Severity field reflects the Severity of the selected alert, an integer between 1 and 100.
SearchAllows you to search for an existing event.
IDThe ID of the incident. You can sort IDs in ascending or descending order.
NameThe incident name. You can sort the Name in ascending or descending order.
Date CreatedDisplays the date and time the incident was created. You can sort the dates in ascending or descending order.
PriorityDisplays the priority of the incident: either low or critical.
CancelCloses the dialog without saving changes.
Add to IncidentAdds the alerts to the incident. A dialog confirms that alerts are successfully added

 

The following figure is an example of the Add to Incident dialog in the Events view. The table describes the information and options in the Add to Incident dialog.

                                               
FeatureDescription
Alert SummaryThe Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident.
SeverityThe Severity field reflects the Severity of the selected alert, an integer between 1 and 100.
Search Open IncidentsAllows you to search for an existing incidents.
IDThe ID of the incident.
NameThe incident name.
CreatedDisplays the date and time the incident was created.
AssigneeDisplays the team member currently assigned to the incident
CancelCloses the dialog without saving changes.
OKAdds the alerts to the incident. A confirmation message is displayed after the incident is successfully added

You are here
Table of Contents > Investigate Reference Materials > Add Events to an Incident Dialog

Attachments

    Outcomes