Skip to main content

Creating Incidents

Creating incidents is the process of registering and documenting important events and the results of correlation rules. Incidents can be created automatically using the "Create Incident" feature or manually by users, depending on the specific situation and necessity.

Creating Using "Create Incident"

To create an incident using the "Create Incident" feature:

  1. Add this action in the Active Actions section in the task editor. alt text

  2. In the "Create Incident" action parameters, fill in the fields:

  • Incident Name - a brief name that identifies the incident in the general list
  • Criticality - the importance level of the incident
  • Workflow - the workflow process
  • Incident Description - a detailed description of the incident; the editor supports Github Flavored Markdown
  • Detail Type - the format of additional information
    • Search - a search query with an event or additional information about the incident
    • Link - a link to additional information, such as documentation
  • Detail - a search query or URL providing additional information
  • Launch Settings - settings for launching the active action
    • Do not launch for each result - creates one incident even if the search returns multiple results
  • Additional Fields - customizable fields defined in the module settings
  • Fields from Search Results - key-value pairs from the search task results
  • Local Parameters - key-value pairs of local and global tokens for dynamic data substitution
  1. Save the search task.
  2. When the search task results are received, the incident will be displayed in the Incident Manager.
Useful Information

To learn more about how search tasks and active actions work, go to the Job Scheduler section.

Creating Manually

To create an incident manually:

  1. Go to the Incident Manager.
  2. Click the Create Incident button. A modal window with incident parameters will appear: alt text

In this window, you need to fill in the following fields:

  • Main fields:
    • Incident Name - the name of the incident displayed in the general list of incidents
    • Incident Description - a description that is displayed in the general list when the incident details are expanded
  • Mandatory fields:
    • Severity - the importance level of the incident
    • Reviewer - the employee or group of employees responsible for resolving the incident and its consequences
  • Additional Information - additional information about the incident
  1. Click the Save button. After clicking the button, the created incident will be displayed in the general list.