Investigate: Create an Incident Dialog

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Apr 3, 2018
Version 13Show Document
  • View in full screen mode
 

In the Create an Incident dialog, analysts can create an incident from selected events in the Events view. The incident is then available to incident responders working in Respond.

To access this dialog, while investigating a service in the Investigation > Events view, select Incidents > Create New Incident from the toolbar.

Workflow

high-level Investigate workflor with Create an Incident in Repond highlighted

What do you want to do?

                                                     
User RoleI want to ...11.1 Documentation
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunter or Incident Responderadd one or more events to an existing incident or to a new incident*Add Events to an Incident for Response

Related Topics

Quick Look

The following figure is an example of the Create an Incident Dialog, and the features are described in the table.

the Create an Incident dialog

                                           
FeatureDescription
Create Summary from These EventsThe Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident. The Severity field reflects the Severity of the selected alert, an integer between 1 and 100.
Name(Required) Specifies a name to identify the incident. In the example, the name is Sample Incident. You can provide a name that clearly identifies the nature of events that will be added to this incident
Summary(Optional) Specifies a description for the incident. A good summary clearly identifies the incident for other analysts and responders.
Assignee(Optional) Assigns the incident to a user in the SOC. Clicking Assignee opens a drop-down list showing the user names of SOC personnel who respond to incidents.
Categories(Optional) Identifies categories of incidents. Clicking Categories, opens a drop-down list of Incident categories and subcategories. You can select one or more categories to which the incident belongs. Categories fall into these major groups: Environmental, Error, Hacking, Malware, Misuse, and Social.
PriorityIdentifies the priority for the incident. Clicking Priority opens a drop-down list of priorities: Critical, High, Medium, or Low displayed in the drop-down list.
CancelCloses the dialog without saving changes.
SaveSaves the incident and closes the dialog. A message confirms that the incident was created successfully.
Previous Topic:Context Lookup Panel
You are here
Table of Contents > Investigate Reference Materials > Create an Incident Dialog

Attachments

    Outcomes