Respond Config: Incident Rules List View

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Mar 27, 2018
Version 3Show Document
  • View in full screen mode
 

The Incident Rules List View enables you to create and manage incident rules for automating the incident creation process. NetWitness Suite provides preconfigured rules. You can add to and adjust these rules for your own environment.

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

What do you want to do?

                       
RoleI want to ...Show me how
Analyst, Content Expert, SOC ManagerCreate or edit an incident rule.Step 3. Enable and Create Incident Rules for Alerts
Incident Responders, Analysts, Content Experts, SOC ManagerView the results of my incident rule (View Detected Threats).See "Responding to Incidents" in the NetWitness Respond User Guide.

Related Topics

Incident Rules List View

To access the Incident Rules List view, go to CONFIGURE > Incident Rules.

Incident Rules List

The Incident Rules List view consists of a list and series of buttons.

Incident Rules List

The following table describes the columns in the Incident Rules list.

                                               
ColumnDescription

Move Up and Down icon

Enables you to change the priority order of the rules. Use the drag pad (Drag pad icon) in front of a rule to move it up and down in the list.

Select

Enables you to select a rule in order to take an action, such as Clone or Delete.

OrderShows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If two rules match an alert, only the rule with the highest priority is evaluated.
EnabledShows whether the rule is enabled or not.
The specifies that the rule is enabled. The Not Enabled icon specifies that the rule is not enabled.
NameDisplays the name of the rule with a hyperlink. If you click the link, it opens the Rule Details view, where you can edit the rule.
DescriptionDisplays the description of the rule.
Last MatchedDisplays the time when an alert was successfully matched with the rule. This value is reset once a week.
Matched AlertsDisplays the number of matched alerts. This value is reset once a week.
To change the setting, see Set Counter for Matched Alerts and Incidents.
IncidentsDisplays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set Counter for Matched Alerts and Incidents.

Incident Rules Actions

The following table shows the operations that can be performed on the Incident Rules list.

                           
Action

Description

Create Rule buttonAllows you to add a new rule.
Delete buttonAllows you to delete a rule.
Clone buttonAllows you to duplicate a rule.
Name hyperlinkAllows you to edit a rule.

 

Previous Topic:Configure View
You are here
Table of Contents > NetWitness Respond Configuration Reference > Incident Rules List View

Attachments

    Outcomes