EventLog Analyzer helps you streamline the process of managing and investigating security incidents.. You can track the status of security incidents by navigating to the Alerts tab → Incident.
Viewing and editing incidents
In the Incident page, you can view the list of all incidents in your network along with crucial information such as the assignee, status, and severity. You can click on any incident to view and edit the incident's name, description, assignee, status, and severity. The Evidence and Notes tab display the list of evidence and notes attached to an incident. The Activity Logs page records and displays the events pertaining to the creation, modification, and deletion of incidents.
The incident page displays details such as the age of the incident, who created it, and when it was created. The Actors widget contains the list of users, entities, services, and processes responsible for the incident to help the assignee quickly investigate the incident and take remedial action.
Steps to create an incident
You can create an incident in EventLog Analyzer by navigating to the Alerts tab → Incident → +Add Incident.
- In the Incident page, enter a name and description for your incident in the respective fields.
- Select the assignee, severity, and status of your incident from the respective drop-down menus.
- Click on Create.
You can view the incident creation event being logged in the Activity Logs pane.
Additionally, you can create incidents in EventLog Analyzer by:
Steps to map alerts as incidents
In EventLog Analyzer, you can map a triggered alert as an incident, assign a security technician to respond to the incident, and track its status by following the steps given below:
- Navigate to the Alerts tab.
- Select the alert for which you want to create an incident.
- Click on the +Add to Incident button present at the top of the alerts table and click on the +Add New Incident option to create a new incident.
- Enter the name and description of the incident.
- Select the assignee, status, and severity of the incident from the respective drop-down menus.
- Click on Create.
You can also add an alert as evidence to an incident by selecting the alert, clicking on the +Add to Incident button, and selecting the required incident from the list displayed. The alert can now be viewed under the Evidence tab of the selected incident.
Configuring incident rules
You can configure pre-defined incident rules for devices, device groups, and alert profiles to automatically create incidents when a specific number of alerts get triggered within a specified time span.
Steps to create an incident rule
- Navigate to the Alerts tab → Incident → Incident Rule → +Add Incident Rule.
- Enter a name and description for your incident rule.
- Assign the incidents created by this rule to a technician by selecting a name from the Assign To drop-down menu.
- Select the severity: Attention, Critical, or Trouble from the Severity field.
- Enter the threshold value to create the incident. An incident will be created when the specified number of alerts get triggered within the time frame.
- In the Criteria field, specify the Device, Device Group, or Alert Profile for which you want to create an incident. You can also create a criteria with multiple fields by clicking on the + icon to add another field and combine them using AND and OR logical operators.
- Click on Save.
You can view and edit the existing incident rules by navigating to the Alerts tab → Incident → Incident Rule and clicking on the required incident rule.