Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Add Events to an Incident from the Events View

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 19Show Document
  • View in full screen mode
 

When conducting an investigation in the Legacy Events, you can select one or more events and create an incident that is available for incident responders in Respond. When you create an incident, if access restrictions are in effect, you can view only incidents to which you have access. For example, when creating incidents from the Investigate view, analysts must assign the incidents to themselves to view them in the Respond view. You can also add events to an existing incident in Respond to which you have access.

Note: An administrator must configure the required roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

  1. Go to Investigate > Legacy Events.
  2. In the Legacy Events view, select one or more events, and then Incidents > Create New Incident.
    Incidents menu
  3. Complete the information in the Create an Incident dialog.
    the Create an Incident dialog
    1. Select the severity, an integer between 1 and 100, with 100 being the most severe.
    2. Type a name for the incident and describe the incident in the Summary field.
    3. Select an assignee for the incident from the drop-down list. This list includes the built-in roles that have access to Respond as well as any custom roles that have been added to your system. For example, this list might include roles for admin, analyst, dpo, operator and roles for incident responsers.
    4. From the Categories drop-down list, select one of more categories of alerts that apply to this incident.
    5. From the Priorities drop-down list, select a category for the incident. For example, an incident may be critical, high, medium, or low priority.
    6. Click Save.
      The new incident is created and is available immediately in the incident queues for the selected role in Respond.
  4. To add one or more events to an incident, select one or more events, and then Incidents > Add to Existing Incident.
  5. In the Add Events to an Incident dialog, select the severity, and select one or more incidents to which the events will be added. You can Search for an existing incident by Incident-ID or Incident Name. When ready, click Add to Incident.
    The events are added to the selected incidents and updated in Respond.

You are here
Table of Contents > Downloading and Acting Upon Results > Add Events to an Incident in the Legacy Events View

Attachments

    Outcomes