To perform this function you must have user permission to create incidents.
This is useful in grouping a set of events together as a whole representing something of interest (group of similar events or set of different events that indicate a pattern of interest such an attack).
If events are not initially displayed in a newly created incident, it is probably because of a lag in the time between display in the Real Time Events window and insertion into the database. If this occurs, it takes a few minutes for the original events to be inserted into the database and display in the incident.
To create an incident:
In a Real Time Event Table of the Navigator or a Snapshot Real Time Event Table, select an event or a group of events, then right-click and select
.In the New Incident window, fill in the necessary information in the following tabs:
Events: Shows which events make up the incident
Assets: Show affected assets
Vulnerability: Show related asset vulnerabilities
Advisor: Asset attack and alert information
iTRAC: Under this tab, you can assign a WorkFlow (iTRAC)
History: Incident history
Attachments: You can attach any document or text file with pertinent information to this incident
Notes: You can specify any general notes regarding this incident.
In the Create Incident dialog box, specify:
Title
State
Severity
Priority
Category
Responsible
Description
Resolution
Click
. The incident is added under the tab of the Sentinel Control Center.