Creating incidents

You can create incidents manually or enable the rules for automatic creation of incidents. This topic describes how to create incidents manually.

To be able to create incidents, you must have the access right to read and modify alerts and incidents.

If the incident is created manually, playbooks will not launch automatically. You can launch a playbook for such an incident manually.

You can create incidents by using the incident table or the alert table.

Creating incidents by using the incident table

To create an incident:

In the main menu, go to Monitoring & reporting → Incidents. Click the Create incident button.
On the General settings step, specify the following settings:
- Incident name
- Tenant
  A tenant that the incident is associated with. Alerts can only be attached to an incident that belongs to the same tenant. You cannot change the incident's tenant later.
- Assignee
  This is an incident owner, the analyst who is responsible for the incident investigation and process. You can change an incident assignee at any time if the Status parameter is not set to Closed.
- Priority
  Possible values: Low, Medium, High, or Critical.
  
  Incident priority defines the order in which the incidents must be investigated by analysts. Incidents with the Critical priority are the most urgent ones and must be investigated first. You can change the incident priority manually.
- Description
  In this field, you can leave a description of the incident. For example, you can describe the issue or provide investigation results of the linked alerts. The description is added to the Description section of the incident details.
  
  This field is optional.
Click OK.
The incident is created.

Creating incidents by using the alert table

You create an incident by selecting the alerts to link to the new incident. Refer to linking alerts to incidents.