When conducting an investigation in the Events view, you can select one or more events and create an incident that is available for incident responders in Respond. You can also add events to an existing incident in Respond to which you have access.
- Navigate to the Events view using one of the methods described in Examining Events.
- In the Events view, select one or more events, and then Incidents > Create New Incident.
- Complete the information in the Create an Incident dialog.
- Select the severity, an integer between 1 and 100, with 100 being the most severe.
- Type a name for the incident and describe the incident in the Summary field.
- Select an assignee for the incident from the drop-down list. This list includes the built-in roles that have access to Respond as well as any custom roles that have been added to your system. For example, this list might include roles for admin, analyst, dpo, operator and roles for incident responsers.
- From the Categories drop-down list, select one of more categories of alerts that apply to this incident.
- From the Priorities drop-down list, select a category for the incident. For example, an incident may be critical, high, medium, or low priority.
- Click Save.
The new incident is created and is available immediately in the incident queues for the selected role in Respond.
- To add one or more events in the Events view to an incident, select one or more events, and then Incidents > Add to Existing Incident.
- In the Add Events to an Incident dialog, select the severity, and select one or more incidents to which the events will be added. You can Search for an existing incident by Incident-ID or Incident Name. When ready, click Add to Incident.
The events are added to the selected incidents and updated in Respond.