Linking alerts to incidents

You can link one or multiple alerts to an incident for the following reasons:

Multiple alerts may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, the alerts in the incident can be investigated as a single issue. You can link up to 200 alerts to an incident.
A single alert may be linked to an incident if the alert is defined as true positive.

You can link an alert to an incident if the alert has any status other than Closed. When linked to an incident, an alert loses its current status and gains the special status In incident. If you link alerts that are currently linked to other incidents, the alerts are unlinked from the current incidents, because an alert can be linked to only one incident.

Alerts can only be linked to an incident that belongs to the same tenant.

Alerts can be linked to an incident manually or automatically.

Linking alerts manually

To link alerts to an existing or new incident:

In the main menu, go to Monitoring & reporting → Alerts.
Select the check boxes next to the alerts that you want to link to an incident.
If you want to link alerts to an existing incident:
1. Click the Link to incident button.
2. Select an incident to link the alerts to.
Alternatively, click an alert to display its details and click the Link to incident button in the toolbar at the top.
If you want to link alerts to a new incident:
1. Click the Create incident button.
2. Fill in the properties of the new incident: name, assignee, priority, and description.
Alternatively, click an alert to display its details and click the Create incident button in the toolbar at the top.
Click the Save button.

The selected alerts are linked to an existing or new incident.

Linking alerts automatically

If you want alerts to automatically link to an incident, you have to configure segmentation rules.