Add Events to an Incident in the Events View
When conducting an investigation in the Events view, you can select one or more events and create an available incident for incident responders in Respond. When you create an incident, if access restrictions are in effect, you can view only incidents to which you have access. For example, when creating incidents from the Investigate view, analysts must assign the incidents to themselves to view them in the Respond view. You can also add events to an existing incident in Respond to which you have access.
An administrator must configure the respond-server.incident.manage and investigate-server.incident.manage roles and permissions. For more information, see "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.
- Go to Investigate > Events.
- In the Events view, select one or more events.
- Click Create Incident.
The Create Incident dialog is displayed. Complete the information in the Create Incident dialog.
- Select the severity. The alert summary field is a pre-defined value which is auto-populated but can be edited if required.
- Select the tactics from the MITRE ATT&CK Tactics drop-down list. After selecting the tactics, you will be presented with the option to choose the appropriate techniques.
- Select the techniques from the MITRE ATT&CK Techniques drop-down list.
- Type a name for the incident in the Incident Name field.
-
From the Priority drop-down list, select a priority for the incident. For example, an incident may be critical, high, medium, or low priority.
-
Select an assignee for the incident from the drop-down list. This list includes the built-in users that have access to Investigate as well as any custom users that have been added to your system. For example, this list might include users for admin, analyst, dpo, operator, and users for incident responders.
- From the Categories drop-down list, select one or more categories of events that apply to this incident.
- Click OK.
An incident is created with the selected event in .
-
To add one or more events to an existing incident, select one or more events, and then click Add to Incident.
- In the Add to Incident dialog, select the alert summary and severity, and select one or more open and existing incidents to which the incidents will be added. You can Search for an existing incident by Incident-ID or Incident Name. When ready, click OK. The event is added to the selected incidents and updated in Respond.