Cisco Cisco FirePOWER Appliance 8250
19-5
FireSIGHT System User Guide
Chapter 19 Handling Incidents
Creating an Incident
•
Damage
•
Unknown
You can also create your own incident types, as explained in
.
Creating an Incident
License:
Protection
This section explains how you create an incident.
To create an incident:
Access:
Admin/Intrusion Admin
Step 1
Select
Analysis > Intrusions > Incidents
.
The Incidents page appears.
Step 2
Click
Create Incident
.
The Create Incident page appears.
If you previously copied intrusion events to the clipboard, they are displayed at the bottom of the page.
See
See
for information about using the clipboard.
Step 3
From the
Type
drop-down menu, select the option that best describes the incident.
Step 4
In the
Time Spent
field, enter the amount of time you spent on the incident in the #d #h #m #s format,
where # represents the number of days, hours, minutes, or seconds.
Step 5
In the
Summary
text box, type a short description (up to 255 alphanumeric characters spaces, and
symbols) of the incident.
Step 6
In the
Add Comment
text box, type a more complete description (up to 8191 alphanumeric characters,
spaces and symbols) for the incident.
Step 7
Do you want to add events to the incident?
•
If yes, select the events on the clipboard and click
Add to Incident
.
You can also add all the events from the clipboard by clicking
Add All to Incident
.
•
If no, click
Save
.
In either case, the incident is saved with the information you entered.
Note
If you want to add individual events from more than one page on the clipboard, you must add
the events from one page, then add the events from the other pages separately.
the events from one page, then add the events from the other pages separately.
Editing an Incident
License:
Protection
You can update an incident as you collect more information. You can also add or delete events from the
incident as your investigation progresses.
incident as your investigation progresses.