When conducting an investigation in the Legacy Events, you can select one or more events and create an incident that is available for incident responders in Respond. When you create an incident, if access restrictions are in effect, you can view only incidents to which you have access. For example, when creating incidents from the Investigate view, analysts must assign the incidents to themselves to view them in the Respond view. You can also add events to an existing incident in Respond to which you have access.
- Go to Investigate > Legacy Events.
- In the Legacy Events view, select one or more events, and then Incidents > Create New Incident.
- Complete the information in the Create an Incident dialog.
- Select the severity, an integer between 1 and 100, with 100 being the most severe.
- Type a name for the incident and describe the incident in the Summary field.
- Select an assignee for the incident from the drop-down list. This list includes the built-in roles that have access to Respond as well as any custom roles that have been added to your system. For example, this list might include roles for admin, analyst, dpo, operator and roles for incident responsers.
- From the Categories drop-down list, select one of more categories of alerts that apply to this incident.
- From the Priorities drop-down list, select a category for the incident. For example, an incident may be critical, high, medium, or low priority.
- Click Save.
The new incident is created and is available immediately in the incident queues for the selected role in Respond.
- To add one or more events to an incident, select one or more events, and then Incidents > Add to Existing Incident.
- In the Add Events to an Incident dialog, select the severity, and select one or more incidents to which the events will be added. You can Search for an existing incident by Incident-ID or Incident Name. When ready, click Add to Incident.
The events are added to the selected incidents and updated in Respond.