Create an incident or security incident from an alert

When an alert or alert group requires additional work, you can open an incident for it. If Security Incident Response is activated, a security incident can be created.

Before you begin

Role required: evt_mgmt_admin, evt_mgmt_operator, or evt_mgmt_user

About this task

You can manually create incidents and security incidents from the Alert form. To prevent duplicate tasks, the system checks the conditions of all task templates before creating an incident.

You can customize the created incident using the EvtMgmtCustomIncidentPopulator.populateFieldsFromAlert script include. The customization includes mapping fields from the alert to the incident or aborting the incident creation according to customized conditions. For more information, see Populate alert fields from a task template and custom script.

You can populate incident fields using custom alert fields values that where populated from additional information fields. Use the EvtMgmtCustomIncidentPopulator script include to copy the values to the incident after copying the data to the alert. For more information, see Populate custom alert fields.

Note: If Security Incident Response is activated, the base system includes an alert rule called Create security incidents for critical alerts. This alert rule creates security incidents when critical security events are reported.

Procedure

  1. Navigate to Event Management > All Alerts.
  2. Click the alert Number.
  3. To create an incident:
    • To create an incident, click Create Incident.
    • To create a security incident, click Create Security incident.
  4. Click Update.

Result

The created incident appears in the Task field of the Alert form.