Hello ,

Please refer to the explanation below:

Security Incident Response is integrated with Event Management in that events can be classified as "Security" and can, based on easily configurable rules, create security incidents.

This is useful from a triage standpoint - you may get many alerts and not all of them are worthy of a security incident (in and of themselves) but certain alerts or a combination of alerts and operational circumstances may warrant the creation of a full security incident.

Consider this example: an IDS or SIEM may throw thousands of alerts in a day, but if you see an attack against a production server in combination with poor performance data from that endpoint - it may be time for a critical priority security incident!  Event Management helps users manage rules for this type of dynamic auto-generation.

With regards to your query regarding the location of the data: it is possible to send data directly to security applications (such as Security Incident) or to the shared event table itself.  Data sent to the event table should be classified as "Security" events (set classification to "1") so that they can be easily distinguished and protected from non-security personnel with access controls based on this classification.

Hope this helps!

Also please review the attachment.

Thanks