Investigate: Add Events to an Incident Dialog

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Apr 3, 2018
Version 13Show Document
  • View in full screen mode
 

In the Add Events to an Incident dialog, analysts can add alerts to an existing incident so that incident responders look at the associated events as part of an incident response. To access this dialog while investigating a service in the Events view, select Incidents > Add to Existing Incident from the toolbar.

Workflow

high-level Investigate workflor with Create an Incident in Repond highlighted

What do you want to do?

                                                     
User RoleI want to ...11.1 Documentation
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunter or Incident Responderadd one or more events to an existing incident or to a new incident*Add Events to an Incident for Response

*You can perform this task in the current view.

Related Topics

Quick Look

The following figure is an example of the Add Events to an Incident dialog. The table describes the information and options in the Add Alerts to an Incident dialog .
This is the Add Events to an Incident dialog

                                           
FeatureDescription
Alert SummaryThe Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident. The Severity field reflects the Severity of the selected alert, an integer between 1 and 100.
SearchAllows you to search for an existing event.
IDThe ID of the incident. You can sort IDs in ascending or descending order.
NameThe incident name. You can sort the Name in ascending or descending order.
Date CreatedDisplays the date and time the incident was created. You can sort the dates in ascending or descending order.
PriorityDisplays the priority of the incident: either low or critical.
CancelCloses the dialog without saving changes.
Add to IncidentAdds the alerts to the incident. A dialog confirms that alerts are successfully added
You are here
Table of Contents > Investigate Reference Materials > Add Events to an Incident Dialog

Attachments

    Outcomes