Investigate: Add Events to an Incident for Response

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Apr 25, 2019
Version 17Show Document
  • View in full screen mode

When conducting an investigation in the Events view, you can select one or more events and create an incident that is available for incident responders in Respond. You can also add events to an existing incident in Respond to which you have access.

Note: An administrator must configure the required roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

  1. Go to INVESTIGATE > Events.
  2. In the Events view, select one or more events, and then Incidents > Create New Incident.
    Incidents menu
  3. Complete the information in the Create an Incident dialog.
    the Create an Incident dialog
    1. Select the severity, an integer between 1 and 100, with 100 being the most severe.
    2. Type a name for the incident and describe the incident in the Summary field.
    3. Select an assignee for the incident from the drop-down list. This list includes the built-in roles that have access to Respond as well as any custom roles that have been added to your system. For example, this list might include roles for admin, analyst, dpo, operator and roles for incident responsers.
    4. From the Categories drop-down list, select one of more categories of alerts that apply to this incident.
    5. From the Priorities drop-down list, select a category for the incident. For example, an incident may be critical, high, medium, or low priority.
    6. Click Save.
      The new incident is created and is available immediately in the incident queues for the selected role in Respond.
  4. To add one or more events to an incident, select one or more events, and then Incidents > Add to Existing Incident.
  5. In the Add Events to an Incident dialog, select the severity, and select one or more incidents to which the events will be added. You can Search for an existing incident by Incident-ID or Incident Name. When ready, click Add to Incident.
    The events are added to the selected incidents and updated in Respond.

You are here
Table of Contents > Examining Raw Events in the Events View > Add Events to an Incident for Response