Click Incidents in the Sentinel Control Center.
For more information, see Accessing Incidents.
From the menu, click Incidents > Display Incident View Manager
or
Click the Display Incident View Manager button in the toolbar.
Select the desired Incident in the Incidents View window.
When you view an incident, you see the tabs listed below where you can perform Incident related activities. As you investigate and remediate an Incident, additional information can be added to these tabs.
Events: Lists events that triggered the incident, correlation rule, or alerts.
Assets: Lists assets affected by the events of this Incident.
Vulnerability: Lists asset vulnerabilities.
iTRAC: Allows you to add a workflow to Incident.
History: Lists the activities performed on the current Incident.
Attachments: Allows you to add an attachment to the Incident created in the system.
Notes: Allows you to add notes to the Incident. If the incident was created as a result of alerts escalation, by default, this tab displays the comments associated with alerts and the reason for escalation.
In the Incidents View window, select the desired Incident.
Click the iTRAC tab.
Select a workflow from the iTRAC process drop-down list.
For more information about workflows, see Section 18.0, Configuring iTRAC Workflows.
Click Save.
You can attach only one workflow to an Incident.
In the Incidents View window, select the desired Incident.
Click the Attachments tab, then click Add.
Click Browse, then navigate to the attachment and select it.
Specify the required information, or accept the default entries.
Click OK, then click Save.
You can right-click the attachment to view it or save it to your local hard drive.
In the Incidents View window, select the desired Incident.
Click the Notes tab, then click Add.
Specify your notes, then click OK.
Click Save to update the Incident.
To edit or delete the note, select a note in the Notes tab of the Incident window, right-click the note, then select edit or delete.
Any configured Javascript action or iTRAC activity can be executed on an Incident.
In the Incidents View window, select the desired Incident.
In the menu, click Action > Execute Incident Action.
or
Click the Execute Incident Action button.
Select an Action or click the Add Action button to create a new one.
Click Execute.
If the action is a Javascript Action, a window opens to show the progress of the action.
To add the command output to the Incident, click the Attach to Incident button.
The action output is saved and can be viewed from the Attachments tab of the Incident.
To e-mail an Incident using the preinstalled E-mail Incident action, you must have an SMTP Integrator configured with valid connection information and with the property SentinelDefaultEMailServer set to “true”. For more information, see the SMTP Integrator documentation available at the Sentinel Plug-in Web site.
In the Incidents View window, select the desired Incident.
Click the Email Incident icon.
Specify the required information.
Select which HTML attachments should be included in the mail message: the events included in the incident, assets, vulnerabilities, Advisor attacks, incident history, attachments, and notes.
Click OK.