Skip to main content
Version: 4.3

Creating Incidents

Incident creation refers to the process of logging and documenting significant events and correlation rule outputs. Depending on operational needs, incidents may be created either automatically (via the Create Incident function) or manually by authorized users.

Creation using "Create Incident"

To create an incident using Create Incident, you must

  1. Add this action in the Active Actions section in the job editor.

  2. Fill in the fields in the Create Incident action parameters:

  • Incident Name - a brief name identifying the incident in the general list
  • Severity - the importance level of the incident
  • Workflow - the workflow
  • Incident Description - a detailed description of the incident; the editor supports Github Flavored Markdown
  • Detail Type - the format for additional information
    • Search - a search query with event or additional information about the incident
    • Link - a link to additional information, for example, to documentation
  • Details - a search query or URL providing additional information
  • Index Suffix - allows creating incidents in a specific index; see Index Suffixes
  • Execution Settings - active action execution settings
    • Do not run for each result - creates a single incident even if the search returns multiple results
  • Additional Fields - custom fields defined in the module settings
  • Fields from Search Results - key-value pairs from the search job results
  • Local Parameters - key-value pairs of local and global tokens for dynamic data substitution
Using Tokens

For the Severity field and all fields in the Additional Fields block, you can use search job tokens; see Using Tokens

Creating Manually

To create an incident manually:

  1. Go to the Incident Manager
  2. Click the Create Incident button. A modal window with incident parameters will appear: alt text
  • Mandatory fields:
    • Incident name - the name of the incident displayed in the general list of incidents
    • Incident description - a description that is displayed in the general list when the incident details are expanded
  • Required fields:
    • Severity - the importance level of the incident
    • Reviewer - the employee or group of employees responsible for resolving the incident and its consequences
  • Additional Information - additional information about the incident
  1. Click the Create Incident button. After clicking, the created incident will appear in the general list