Converting an Alert to an Incident or Associating an Alert with an Incident

Scenario

SecMaster analyzes alerts it aggregates from other services. During the analysis, if SecMaster detects attacks or serious threats, it converts such alerts into incidents or associates such alerts with certain incidents.

This section describes how to convert an alert to an incident and how to associate an alert with an incident.

Converting an Alert to an Incident

1. Log in to the management console.
2. Click in the upper part of the page and choose Security > SecMaster.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
4. In the navigation pane on the left, choose Threat Operations > Alerts.
5. In the alert list, locate the row that contains the target alert, click Convert to Incident in the Operation column. The Convert to Incident page is displayed on the right.

   In addition, you can click Alert-to-Incident in the upper right corner of the details page of an alarm.

6. On the Convert to Incident page, specify Incident Name and Incident Type.

   The incident name is automatically set to the name of the current alert and can be modified.

7. Click OK.

Associating an Alert with an Incident

1. Log in to the management console.
2. Click in the upper part of the page and choose Security > SecMaster.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
4. In the navigation pane on the left, choose Threat Operations > Alerts.
5. In the alert list, select the alerts you want to associate and click Associated Event above the list. The Bind Incident dialog box is displayed.
6. In the dialog box displayed, select the target incidents and click OK.

   After the association is complete, click the type of the target alert in the alert list. On the alert details page displayed, choose Relationship > Associated Incidents and check the association details.