Create incident or security incident from an alert

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:2分

    • When an alert must be escalated and assigned to someone who can resolve the underlying issue, you can open an incident.

    始める前に

    Role required: evt_mgmt_admin, evt_mgmt_operator, or evt_mgmt_user

    このタスクについて

    If Security Incident Response is activated, a security incident can be created.

    You can manually create incidents and security incidents from the Alert form. To prevent duplicate tasks, the system checks the conditions of all task templates before creating an incident.

    You can customize the created incident using the EvtMgmtCustomIncidentPopulator.populateFieldsFromAlert script include. The customization includes mapping fields from the alert to the incident or aborting the incident creation according to customized conditions. For more information, see Custom alert fields.

    You can populate incident fields using custom alert fields values that where populated from additional information fields. Use the EvtMgmtCustomIncidentPopulator script include to copy the values to the incident after copying the data to the alert. For more information, see Custom alert fields.

    注:
    If Security Incident Response is activated, the base system includes an alert action rule called Create security incidents for critical alerts. This alert action rule creates security incidents when critical security events are reported.

    手順

    1. Navigate to All > Event Management > All Alerts.
    2. Click the alert Number.
    3. To create an incident:
      • To create an incident, click Quick Incident.
      • To create a security incident, click Create Security Incident. You must install the Security (secops) plugin to enable this option.
    4. Click Update.

    タスクの結果

    The created incident appears in the Task field of the Alert form.