Create an Incident Dialog
In the Create an Incident dialog, analysts can create an incident from selected events in the Events view. The incident is then available to incident responders working in Respond.
To access this dialog, while investigating a service in the Investigate > Events view, select Incidents > Create New Incident from the toolbar.
Workflow
What do you want to do?
User Role | I want to ... | Show me how |
---|---|---|
Incident Responder or Threat Hunter |
review detections and signals seen in my environment |
NetWitness Platform Getting Started Guide |
Incident Responder |
review critical incidents or alerts |
NetWitness Respond User Guide |
Threat Hunter | query a service, metadata, and time range |
Begin an Investigation in the Events View Begin an Investigation in the Navigate or Legacy Events View |
Threat Hunter |
view metadata |
|
Threat Hunter |
view sequential events |
|
Threat Hunter |
reconstruct and analyze an event |
|
Threat Hunter | examine files and associated hosts |
Download Data in the Events View |
Threat Hunter | perform lookups | |
Threat Hunter | create an incident or add to an incident* | |
Threat Hunter |
add a meta value to a Context Hub list |
*You can perform this task in the current view.
Related Topics
Quick Look
The following figure is an example of the Create an Incident Dialog, and the features are described in the table.
Feature | Description |
---|---|
Create Summary from These Events | The Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident. The Severity field reflects the Severity of the selected alert, an integer between 1 and 100. |
Name | (Required) Specifies a name to identify the incident. In the example, the name is Sample Incident. You can provide a name that clearly identifies the nature of events that will be added to this incident |
Summary | (Optional) Specifies a description for the incident. A good summary clearly identifies the incident for other analysts and responders. |
Assignee | (Optional) Assigns the incident to a user in the SOC. Clicking Assignee opens a drop-down list showing the user names of SOC personnel who respond to incidents. |
Categories | (Optional) Identifies categories of incidents. Clicking Categories, opens a drop-down list of Incident categories and subcategories. You can select one or more categories to which the incident belongs. Categories fall into these major groups: Environmental, Error, Hacking, Malware, Misuse, and Social. |
Priority | Identifies the priority for the incident. Clicking Priority opens a drop-down list of priorities: Critical, High, Medium, or Low displayed in the drop-down list. |
Cancel | Closes the dialog without saving changes. |
Save | Saves the incident and closes the dialog. A message confirms that the incident was created successfully. |
The following figure is an example of the Create an Incident Dialog in the Events view. The table describes the information and options in the Add to Incident dialog.
Feature | Description |
---|---|
Alert Name | (Required) Specifies a name to identify the alert. In the example, the name is Manuel alert for All Data . You can provide a name that clearly identifies the nature of events that will be added to this incident. |
Severity |
The Severity field reflects the Severity of the selected alert, an integer between 1 and 100. |
MITRE ATT&CK Tactics |
Displays the type of tactics associated with the alert. For example: Credential Access. The tactic Credential Access tries to steal account names and passwords. |
MITRE ATT&CK Techniques | Displays the type of techniques and sub-techniques associated with the tactics. |
Incident Name | (Required) Specifies a name to identify the incident. You can provide a name that clearly identifies the nature of events that will be added to this incident |
Priority | Identifies the priority for the incident. Clicking Priority opens a drop-down list of priorities: Critical, High, Medium, or Low displayed in the drop-down list. |
Assignee | (Optional) Assigns the incident to a user in the SOC. Clicking Assignee opens a drop-down list showing the user names of SOC personnel who respond to incidents. |
Categories | (Optional) Identifies categories of incidents. Clicking Categories, opens a drop-down list of Incident categories and subcategories. You can select one or more categories to which the incident belongs. Categories fall into these major groups: Environmental, Error, Hacking, Malware, Misuse, and Social. |
Cancel | Closes the dialog without saving changes. |
Ok | Saves the incident and closes the dialog. A message confirms that the incident was created successfully. |