You'll want to review the events detected on your assets and group related changes into incidents. Review your incidents to determine if they're valid, mark them approved or unapproved and classify them by the type of change. This is especially useful for auditing purposes. You also have an option to create incidents based on certain criteria defined in a correlation rule. See Configure correlation rules to auto create incidents.
Go to Events > Event Review to see the events that are waiting to be reviewed.
Enter your search query or use filters on the left side to find events that are part of the same incident. For example, find events based on tags, user, process and profile.
Then click Create Incident. All events matching your query will be included in the incident.
Note: The Create Incident option is enabled only after you enter a valid QQL query in the search bar.
Note: We support only 10,000 events in an incident. When you create your incident, choose your filters or search query to return less than or equal to 10,000 events. The events that exceed this limit will be excluded from the incident and the report created for the incident.
Give the incident a name, and click Create.
Your new incident will be saved on the Incidents list where you can view and add details.
Choose View Details from the Quick Actions menu to see the list of events included in an incident and get a break-down of the events by severity, action and user.
Choose Edit from the Quick Actions menu for any Open incident to rename it or change the events associated with it by modifying the query or timeframe. If an event no longer matches the query it will be removed from the incident and appear back on the Events list so it can be reviewed again.
Note: After creating an incident manually, Events will be marked to the incident after 24 hours.
Go to the Incidents list. Choose Start Review from the Quick Actions menu for any incident that is Open.
You'll see the list of events associated with the incident, and you can drill into the details for any event.
Want to change the query that resulted in this list of events? Go back and Edit the incident.
Click Next below the list to complete your review.
Provide a comment, mark the incident Approved or Unapproved, pick the appropriate disposition category for reporting and classification, and choose whether the incident resulted from a manual or automated change. Click Finish. The incident status will be updated to Closed.
It's easy. Just click the Download icon above the list and choose a download format.
Select an incident and click Generate Report from the Quick Actions menu. Select PDF/HTML format and click Download.
The report is created for the incident and placed in the Reports tab. Go to the Reports tab and download the report.
When you submit a request for generating a report, FIM assigns the following status to the report which you can see in the Report tab during different stages of its processing:
- Accepted: The request for generating the report is accepted.
- In Progress: The report generation is in progress.
- Completed: The report is generated and is available for download.
- Failed: Report generation process failed due to some reason.
Note: If the report is in "Failed" state or if the report is stuck in a particular state (except Completed state ) for a long time, you can run the report again using the "Run Again" options from the Quick Actions menu.
You have an option to reopen a closed incident to modify the incident’s review information. When you reopen an incident, all the review information in the incident such as disposition, change type, approval and other information is set to blank. You can then review the reopened incident, provide review comments and mark it Closed.
To reopen an incident, click Reopen from the Quick Actions menu.
Enter the comments and click Yes.