Respond Config: Incident Rules List View

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 4Show Document
  • View in full screen mode

The Incident Rules List View enables you to create and manage incident rules for automating the incident creation process. NetWitness Platform provides preconfigured rules. You can add to and adjust these rules for your own environment.

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

What do you want to do?

RoleI want to ...Show me how
Analyst, Content Expert, SOC ManagerCreate or edit an incident rule.Step 3. Enable and Create Incident Rules for Alerts
Incident Responders, Analysts, Content Experts, SOC ManagerView the results of my incident rule (View Detected Threats).See "Responding to Incidents" in the NetWitness Respond User Guide.

Related Topics

Quick Look

To access the Incident Rules List view, go to CONFIGURE > Incident Rules.

Incident Rules List

The Incident Rules List view consists of a list and series of buttons.

Incident Rules List

The following table describes the columns in the Incident Rules list.


Move Up and Down icon

Enables you to change the priority order of the rules. Use the drag pad (Drag pad icon) in front of a rule to move it up and down in the list.


Enables you to select a rule in order to take an action, such as Clone or Delete.

OrderShows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If two rules match an alert, only the rule with the highest priority is evaluated.
EnabledShows whether the rule is enabled or not.
The specifies that the rule is enabled. The Not Enabled icon specifies that the rule is not enabled.
NameDisplays the name of the rule with a hyperlink. If you click the link, it opens the Rule Details view, where you can edit the rule.
DescriptionDisplays the description of the rule.
Last MatchedDisplays the time when an alert was successfully matched with the rule. This value is reset once a week.
Matched AlertsDisplays the number of matched alerts. This value is reset once a week.
To change the setting, see Set Counter for Matched Alerts and Incidents.
IncidentsDisplays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set Counter for Matched Alerts and Incidents.

Incident Rules Actions

The following table shows the operations that can be performed on the Incident Rules list.



Create Rule buttonAllows you to add a new rule.
Delete buttonAllows you to delete a rule.
Clone buttonAllows you to duplicate a rule.
Name hyperlinkAllows you to edit a rule.


Previous Topic:Configure View
You are here
Table of Contents > NetWitness Respond Configuration Reference > Incident Rules List View