Creating an incident is useful in grouping a set of events together as a whole representing something of interest (a group of similar events or set of different events that indicate a pattern of interest such as an attack).
If events are not initially displayed in a newly created incident, it is probably because of a lag in the time between display in the Real Time Events window and insertion into the database. If this occurs, it might take a few minutes for the original events to finally be inserted into the database and display in the incident.
NOTE:It is possible to create an incident that does not contain any events. Events can always be added to incidents.
In a Real Time Event Table of the Visual Navigator or a Snapshot Real Time Event Table, right-click an event or a group of events and select
.In the Incident Window are the following tabs:
Events: Shows which events make up the incident.
Assets: Show affected assets.
Vulnerability: Show related asset vulnerabilities.
Advisor: Asset attack and alert information.
iTRAC: Use this tab to assign an iTRAC process.
History: Incident history.
Attachments: Use this tab to attach any document or text file with pertinent information to this incident.
Notes: Specify any general notes regarding this incident.
In the Create Incident dialog box, provide the following information:
Title
State
Severity
Priority
Category
Responsible
Description
Resolution
Click Create. The incident is added to the Incidents page of the Sentinel Control Center.
To do this, you must have user permission to create incidents.