After performing adequate investigation on an alert, you may determine there is a serious problem and the alert needs further investigation by the security analyst. You can escalate such alerts by creating an incident without losing all the work you already did as part of the alert investigation.
You must have any of the following permissions to escalate alerts to an incident:
Create incidents, add events, and escalate alerts to incidents
Create, modify, and execute actions on assigned incidents
Manage all aspects of incidents: create, modify, and delete
In multi-tenancy environments, only users in the default tenant can escalate alerts to incidents.
You can escalate alerts either to an existing incident or create a new incident. When you select the option to escalate alerts to an existing incident, Sentinel lists the existing incidents.
By default, Sentinel displays 500 incidents in the list. To configure the number of incidents you want to view by default, see Configuring the Number of Incidents to be Listed in the Incidents List
in the Sentinel Administration Guide.
Sentinel sorts the list of incidents based on the relevance of the incident to the selected alerts. The relevance score of the incident helps you to easily identify the appropriate incident rather than having to scroll through the entire list of incidents. The relevance score ranges from 0 to 100. The higher the score the higher the relevancy of the incident to the selected alerts. Incidents with the following properties have a higher relevance score:
Incident name matches with any of the selected alerts’ names.
Incident already contains alerts whose names match with the names of any of the selected alerts.
Incident name matches with any of the selected alerts’ names and the incident also contains alerts whose names match with the names of any of the selected alerts.
Sentinel considers only the first 50 selected alerts to calculate the relevance score.
When you escalate alerts to an incident, Sentinel attaches the events that triggered the alert, asset details, and alert comments to the incident. By default, Sentinel attaches 25 trigger events per alert to the incident. To configure the number of trigger events to be attached to the incident, see Configuring the Number of Alert Trigger Events to be Attached with the Incident
in the Sentinel Administration Guide.
After you escalate an alert, Sentinel changes the alert state to Closed. If you want to escalate the same alerts to a different incident, you can re-open the alerts and escalate them to a different incident. However, you cannot re-escalate the same alerts to the same incident again. If there are additional trigger events to the same alerts that were already escalated and you want to add those events to the same incident, you can open the alert trigger events in the search pane and then add the additional trigger events to the already created incident. For more information, see Adding Events to an Incident.
To escalate an alert to an incident:
(Conditional) If you are using the Threat Response dashboard, click a number or graph to display a table of alerts.
(Conditional) If you are using the Sentinel Main interface, complete the following:
Click Real-time Views > Alert Views.
Select the desired alert view and click the Open the alert view icon.
Select the alerts you want to escalate, and click Escalate.
NOTE:You cannot escalate alerts that are in the Closed state.
Specify the reason for escalation.
(Conditional) To verify whether there’s an existing incident for the selected alerts, click Select an existing incident, select the relevant incident, and click Escalate.
(Conditional) If there is no matching incident for the selected alerts or you want to create a new incident, click create a new incident.
Sentinel populates the default values for the incident based on the selected alert. If you selected more than one alert, Sentinel populates the incident values based on the first alert you selected.
Specify the required information, and click Escalate. For more information about the incident parameters, see Creating Incidents.
NOTE:If you try to escalate the same alerts to the same incident again, an error is displayed and the Escalate button is disabled. Click Cancel to cancel the escalation and escalate the alerts to a different incident.
For more information about viewing and managing incidents in the Sentinel Control Center, see Managing Incidents.