Create an Incident Dialog

In the Create an Incident dialog, analysts can create an incident from selected events in the Events view. The incident is then available to incident responders working in Respond.

To access this dialog, while investigating a service in the Investigate > Events view, select Incidents > Create New Incident from the toolbar.



What do you want to do?

User Role I want to ... Show me how

Incident Responder or Threat Hunter

review detections and signals seen in my environment

NetWitness Platform Getting Started Guide

Incident Responder

review critical incidents or alerts

NetWitness Respond User Guide

Threat Hunter query a service, metadata, and time range

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

view metadata

Filter Results in the Navigate View

Drill into Metadata in the Events View

Threat Hunter

view sequential events

Filter Results in the Events View

Filter Results in the Legacy Events View

Threat Hunter

reconstruct and analyze an event

Examine Event Details in the Events View

Reconstruct an Event in the Legacy Events View

Threat Hunter examine files and associated hosts

Download Data in the Events View

Export or Print a Drill Point in the Navigate View

Export Events in the Legacy Events View

Threat Hunter perform lookups

Look Up Additional Context for Results

Launch a Lookup of a Meta Key

Threat Hunter create an incident or add to an incident*

Add Events to an Incident in the Legacy Events View

Add Events to an Incident in the Events View

Threat Hunter

add a meta value to a Context Hub list

Look Up Additional Context for Results

*You can perform this task in the current view.

Related Topics

Quick Look

The following figure is an example of the Create an Incident Dialog, and the features are described in the table.

netwitness_crtincdg.png netwitness_createinc.png

Feature Description
Create Summary from These Events The Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident. The Severity field reflects the Severity of the selected alert, an integer between 1 and 100.
Name (Required) Specifies a name to identify the incident. In the example, the name is Sample Incident. You can provide a name that clearly identifies the nature of events that will be added to this incident
Summary (Optional) Specifies a description for the incident. A good summary clearly identifies the incident for other analysts and responders.
Assignee (Optional) Assigns the incident to a user in the SOC. Clicking Assignee opens a drop-down list showing the user names of SOC personnel who respond to incidents.
Categories (Optional) Identifies categories of incidents. Clicking Categories, opens a drop-down list of Incident categories and subcategories. You can select one or more categories to which the incident belongs. Categories fall into these major groups: Environmental, Error, Hacking, Malware, Misuse, and Social.
Priority Identifies the priority for the incident. Clicking Priority opens a drop-down list of priorities: Critical, High, Medium, or Low displayed in the drop-down list.
Cancel Closes the dialog without saving changes.
Save Saves the incident and closes the dialog. A message confirms that the incident was created successfully.