Skip to main content
Version: 6.0

Creating Incidents

Incident creation refers to the process of logging and documenting significant events and correlation rule outputs. Depending on operational needs, incidents may be created either automatically (via the "Create Incident" function) or manually by authorized users.

Creating an Incident Using the "Create Incident" Active Action in the Job Scheduler

To create an incident using the Create Incident active action in the Job Scheduler, follow these steps:

  1. Navigate to the Job List (Main Menu - Job Scheduler - Job List)

  2. Click the Create button to create a new task

  3. Fill in the main task fields, including Name, Search, and Duration of the lock. An example of task settings is provided below:

Settings incident

  1. Add the active action Create Incident to the task and fill it out. Information on filling out the main fields of the active action is available in the section Creating an Incident. An example configuration of the Create Incident active action is shown in the image below:

Example creating incident

  1. Save the search task by clicking the Save button at the bottom or top of the interface

The incident created as a result of the task execution will be displayed in the Incident Manager.

Useful Information

To learn more about how search tasks and active actions work, go to the Job Scheduler section.

Creating Manually

To create an incident manually:

  1. Go to the Incident Manager

  2. Click the Create Incident button. A modal window with incident parameters will appear:

alt text

The set of fields is formed in the incident card. By default, each incident contains the following list of fields:

  • Workflow - the process by which work with the incident will be carried out

Basic fields:

  • Incident Type - incident type, from which the set of fields in the Additional Information section will depend

  • Incident name - the name of the incident displayed in the general list of incidents

  • Incident description - a description that is displayed in the general list when the incident details are expanded

  • Index Suffix - you can specify a suffix for the index where the incident will be saved

    Required fields:

  • Severity - the importance level of the incident

  • Comment - an explanatory comment for the incident

  • Reviewer - the employee or group of employees responsible for resolving the incident and its consequences

  1. Click the Create Incident button. After clicking, the created incident will appear in the general list.