Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Manually create an incident from an alert

Log in to subscribe to topics and get notified when content changes.

Manually create an incident from an alert

When an alert or alert group requires additional work, you can open an incident for it. If Security Incident Response is activated, a security incident can be created.

Before you begin

Role required: evt_mgmt_admin, evt_mgmt_operator, or evt_mgmt_user

About this task

You can manually create incidents and security incidents from the Alert form. To prevent duplicate tasks, the system checks the conditions of all task templates before creating an incident.

You can customize the created incident using the EvtMgmtCustomIncidentPopulator.populateFieldsFromAlert script include. The customization includes mapping fields from the alert to the incident or aborting the incident creation according to customized conditions.

You can populate incident fields using custom alert fields values that where populated from additional information fields. Use the EvtMgmtCustomIncidentPopulator script include to copy the values to the incident after copying the data to the alert. For more information, see Custom alert fields.

Note: If Security Incident Response is activated, the base system includes an alert rule called Create security incidents for critical alerts. This alert rule creates security incidents when critical security events are reported.


  1. Navigate to Event Management > All Alerts.
  2. Click the alert Number.
  3. To create an incident:
    • To create an incident, click Create Incident.
    • To create a security incident, click Create Security incident.
  4. Click Update.


The created incident appears in the Task field of the Alert form.