15.2 Creating Incidents

Creating an incident is useful in grouping a set of events together as a whole representing something of interest (a group of similar events or set of different events that indicate a pattern of interest such as an attack).

If events are not initially displayed in a newly created incident, it is probably because of a lag in the time between display in the Real Time Events window and insertion into the database. If this occurs, it might take a few minutes for the original events to finally be inserted into the database and display in the incident.

NOTE:It is possible to create an incident that does not contain any events. Events can always be added to incidents.

  1. In a Real Time Event Table of the Visual Navigator or a Snapshot Real Time Event Table, right-click an event or a group of events and select Create Incident.

    In the Incident Window are the following tabs:

    • Events: Shows which events make up the incident.

    • Assets: Show affected assets.

    • Vulnerability: Show related asset vulnerabilities.

    • Advisor: Asset attack and alert information.

    • iTRAC: Use this tab to assign an iTRAC process.

    • History: Incident history.

    • Attachments: Use this tab to attach any document or text file with pertinent information to this incident.

    • Notes: Specify any general notes regarding this incident.

  2. In the Create Incident dialog box, provide the following information:

    • Title

    • State

    • Severity

    • Priority

    • Category

    • Responsible

    • Description

    • Resolution

  3. Click Create. The incident is added to the Incidents page of the Sentinel Control Center.

To do this, you must have user permission to create incidents.