17.0 Configuring Incidents

In Sentinel, a set of related events (for example, a possible attack) can be grouped together form an incident. An incident in open state alerts you to investigate, resolve, and close the incident. For example, the resolution to an attack might be to close a port, block a source IP, or rebuild a machine.

Incidents are created automatically as a result of a correlation rule being triggered, or they are created manually by a security analyst monitoring incoming data or querying past data.