Cisco Cisco Firepower Management Center 2000

19-5

FireSIGHT System User Guide

Chapter 19 Handling Incidents

Creating an Incident

•

Damage

•

Unknown

You can also create your own incident types, as explained in

Creating Custom Incident Types, page 19-7

Creating an Incident

License:

Protection

This section explains how you create an incident.

To create an incident:

Access:

Admin/Intrusion Admin

Step 1

Select

Analysis > Intrusions > Incidents

The Incidents page appears.

Step 2

Click

Create Incident

The Create Incident page appears.

If you previously copied intrusion events to the clipboard, they are displayed at the bottom of the page.
See

Using the Clipboard, page 18-41

for information about using the clipboard.

Step 3

From the

Type

drop-down menu, select the option that best describes the incident.

Step 4

In the

Time Spent

field, enter the amount of time you spent on the incident in the #d #h #m #s format,

where # represents the number of days, hours, minutes, or seconds.

Step 5

In the

Summary

text box, type a short description (up to 255 alphanumeric characters spaces, and

symbols) of the incident.

Step 6

In the

Add Comment

text box, type a more complete description (up to 8191 alphanumeric characters,

spaces and symbols) for the incident.

Step 7

Do you want to add events to the incident?

•

If yes, select the events on the clipboard and click

Add to Incident

You can also add all the events from the clipboard by clicking

Add All to Incident

•

If no, click

Save

In either case, the incident is saved with the information you entered.

Note

If you want to add individual events from more than one page on the clipboard, you must add
the events from one page, then add the events from the other pages separately.

Editing an Incident

License:

Protection

You can update an incident as you collect more information. You can also add or delete events from the
incident as your investigation progresses.