12.3 Managing Incidents

12.3.1 Viewing an Incident

  1. Click Incidents in the Sentinel Control Center.

    For more information, see Section 12.1, Accessing Incidents.

  2. From the menu, click Incidents > Display Incident View Manager

    or

    Click the Display Incident View Manager button in the toolbar.

  3. Select the desired Incident in the Incidents View window.

When you view an incident, you see the tabs listed below where you can perform Incident related activities. As you investigate and remediate an Incident, additional information can be added to these tabs.

Events: Lists events attached to this Incident. For more information, see Section 2.5.4, Creating an Incident.

Assets: Lists assets affected by the events of this Incident.

Vulnerability: Lists asset vulnerabilities.

Advisor: Displays Asset attack and alert information.

iTRAC: Allows you to add a workflow to Incident.

History: Lists the activities performed on the current Incident.

Attachments: Allows you to add an attachment to the Incident created in the system.

Notes: Allows you to add notes to the Incident.

12.3.2 Attaching Workflows to Incidents

  1. In the Incidents View window, select the desired Incident.

  2. Click the iTRAC tab.

  3. Select a workflow from the iTRAC process drop-down list.

    For more information about workflows, see Section 13.0, Configuring iTRAC Workflows.

  4. Click Save.

    You can attach only one workflow to an Incident.

12.3.3 Adding Attachments to Incidents

  1. In the Incidents View window, select the desired Incident.

  2. Click the Attachments tab, then click Add.

  3. Click Browse, then navigate to the attachment and select it.

  4. Specify the required information, or accept the default entries.

  5. Click OK, then click Save.

You can right-click the attachment to view it or save it to your local hard drive.

12.3.4 Adding Notes to Incidents

  1. In the Incidents View window, select the desired Incident.

  2. Click the Notes tab, then click Add.

  3. Specify your notes, then click OK.

  4. Click Save to update the Incident.

    To edit or delete the note, select a note in the Notes tab of the Incident window, right-click the note, then select edit or delete.

12.3.5 Executing Incident Actions

Any configured Javascript action or iTRAC activity can be executed on an Incident.

  1. In the Incidents View window, select the desired Incident.

  2. In the menu, click Action > Execute Incident Action.

    or

    Click the Execute Incident Action button.

  3. Select an Action or click the Add Action button to create a new one.

  4. Click Execute.

    If the action is a Javascript Action, a window opens to show the progress of the action.

  5. To add the command output to the Incident, click the Attach to Incident button.

    The action output is saved and can be viewed from the Attachments tab of the Incident.

12.3.6 E-mailing an Incident

To e-mail an Incident using the preinstalled E-mail Incident action, you must have an SMTP Integrator configured with valid connection information and with the property SentinelDefaultEMailServer set to “true”. For more information, see the SMTP Integrator documentation available at the Sentinel Plug-in Web site.

  1. In the Incidents View window, select the desired Incident.

  2. Click the Email Incident icon.

  3. Specify the required information.

  4. Select which HTML attachments should be included in the mail message: the events included in the incident, assets, vulnerabilities, Advisor attacks, incident history, attachments, and notes.

  5. Click OK.