Incident management

EventLog Analyzer helps you streamline the process of managing and investigating security incidents.. You can track the status of security incidents by navigating to the Alerts tab → Incident.

Viewing and editing incidents

In the Incident page, you can view the list of all incidents in your network along with crucial information such as the assignee, status, and severity. You can click on any incident to view and edit the incident's name, description, assignee, status, and severity. The Evidence and Notes tab display the list of evidence and notes attached to an incident. The Activity Logs page records and displays the events pertaining to the creation, modification, and deletion of incidents.

The incident page displays details such as the age of the incident, who created it, and when it was created. The Actors widget contains the list of users, entities, services, and processes responsible for the incident to help the assignee quickly investigate the incident and take remedial action.

Incident management

Steps to create an incident

You can create an incident in EventLog Analyzer by navigating to the Alerts tab → Incident → +Add Incident.

You can view the incident creation event being logged in the Activity Logs pane.

Incident management

Additionally, you can create incidents in EventLog Analyzer by:

Steps to map alerts as incidents

In EventLog Analyzer, you can map a triggered alert as an incident, assign a security technician to respond to the incident, and track its status by following the steps given below:

You can also add an alert as evidence to an incident by selecting the alert, clicking on the +Add to Incident button, and selecting the required incident from the list displayed. The alert can now be viewed under the Evidence tab of the selected incident.

Incident management

Configuring incident rules

You can configure pre-defined incident rules for devices, device groups, and alert profiles to automatically create incidents when a specific number of alerts get triggered within a specified time span.

Steps to create an incident rule

Incident management

You can view and edit the existing incident rules by navigating to the Alerts tab → Incident → Incident Rule and clicking on the required incident rule.

Get download link