Skip to content
  • There are no suggestions because the search field is empty.

Add Events to an Incident Dialog

Add Events to an Incident Dialog

In the Add Events to an Incident dialog, analysts can add alerts to an existing incident so that incident responders look at the associated events as part of an incident response. To access this dialog while investigating a service in the Events view and the Legacy Events view, see Add Events to an Incident in the Events View and Add Events to an Incident in the Legacy Events View.

Workflow Workflow

netwitness_wkflow-createincdg.png

What do you want to do?

  • User Role:

    Incident Responder or Threat Hunter

  • I want to ...:

    review detections and signals seen in my environment

  • Show me how:

    NetWitness Platform Getting Started Guide


  • User Role: Incident Responder
  • I want to ...:

    review critical incidents or alerts

  • Show me how:

    NetWitness Respond User Guide










*You can perform this task in the current view.

Related Topics

Quick Look

The following figure is an example of the Add Events to an Incident dialog in the Legacy Events. The table describes the information and options in the Add Events to an Incident dialog .
netwitness_addev2incddg.png

  • Feature: Alert Summary
  • Description: The Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident. The Severity field reflects the Severity of the selected alert, an integer between 1 and 100.

  • Feature: Search
  • Description: Allows you to search for an existing event.

  • Feature: ID
  • Description: The ID of the incident. You can sort IDs in ascending or descending order.

  • Feature: Name
  • Description: The incident name. You can sort the Name in ascending or descending order.

  • Feature: Date Created
  • Description: Displays the date and time the incident was created. You can sort the dates in ascending or descending order.

  • Feature: Priority
  • Description: Displays the priority of the incident: either low or critical.

  • Feature: Cancel
  • Description: Closes the dialog without saving changes.

  • Feature: Add to Incident
  • Description: Adds the alerts to the incident. A dialog confirms that alerts are successfully added

The following figure is an example of the Add to Incident dialog in the Events view. The table describes the information and options in the Add to Incident dialog.

12.4_Add_events_mitre_0124.png

  • Feature: Alert Summary
  • Description: The Alert Summary field is filled by the query that produced the select alerts, which you selected to create this incident.

  • Feature: Severity
  • Description: The Severity field reflects the Severity of the selected alert, an integer between 1 and 100.

  • Feature: MITRE ATT&CK Tactics
  • Description:

    Displays the type of tactics associated with the incident.

    For example: Credential Access.

    The tactic Credential Access tries to steal account names and passwords


  • Feature: MITRE ATT&CK Techniques
  • Description:

    Displays the type of techniques and sub-techniques associated with the tactics.


  • Feature: Search Open Incidents
  • Description: Allows you to search for an existing incidents.

  • Feature: ID
  • Description: The ID of the incident.

  • Feature: Name
  • Description: The incident name.

  • Feature: Created
  • Description: Displays the date and time the incident was created.

  • Feature: Assignee
  • Description: Displays the team member currently assigned to the incident

  • Feature: Cancel
  • Description: Closes the dialog without saving changes.

  • Feature: OK
  • Description: Adds the alerts to the incident. A confirmation message is displayed after the incident is successfully added

  • Column 1:
  • Column 2: