In Sentinel, a set of related events (for example, a possible attack) can be grouped together form an Incident. An Incident in “open” state alerts you to investigate, resolve, and close the incident. For example, the resolution to an attack might be to close a port, block a source IP, or rebuild a machine.
Incidents can be created:
Manually, by a security analyst monitoring incoming data or querying past data.
Automatically, as a result of a correlation rule being triggered. For more information, see “Correlation Tab” section.
In the Incidents Tab, you can:
Manage Incident Views
Manage Incidents
Switch between existing Incident Views
NOTE:You need to have appropriate permissions to access this tab. Only an Administrator has controls to enable/disable access to the features of Incidents for a user.