What is the difference between an Alerting Incident and a Security Incident?

An Alerting Incident is any rule based incident that is NOT security related. For example, if the appliance receives a "Disk Space is Low" event and the rule is setup to generate an incident, as long as "Alerting Incident" check box is checked for this rule, it will generate as an Alerting Incident.  What this means is now this incident has been filed under Alerting Incident filters rather than Security Incident filters.  An example of this can be seen from the Incidents Tile > Filter: (Click on pull down arrow box).  One has the option to view incidents by Security Incident filters, or Alerting Incident filters.

If you do not check the box "Alerting Incident", it then becomes a "Security Incident" by default.    An example of a security incident would be a host intrusion event which generated a security incident.  You may also change a minor Security Incident to an Alert by checking the box in the associated rule

Rules Tile > Correlation Rules > User Rules > (Name of Custom Rule) > Actions Tab




(NOTE: Do not confuse the "Alerting Incident" check box functionality with the "Notification" pane functionality.  They are two different things.  To learn more about the Notification pane, see this KB article: http://www.symantec.com/docs/TECH90473)