Symantec Security Information Manager facilitates efficient and appropriate management of security incidents and alerting (nonsecurity) incidents. An incident is derived from one or more events that are logged in the event database.
For example, when a firewall-down event occurs, an alerting incident could be generated. A security incident might be created when an internal port sweep event occurs. The term "incidents" includes both security incidents and alerting incidents.
Automated incident creation
The Correlation Manager creates incidents from events, and then the events are assigned according to automatic assignment rules.
Manual incident creation
The analyst determines which events are related and manually correlates the events by grouping them as a single incident.
When you create a custom rule on the Rules page, you can specify the type of incident that the rule will generate. If you check the Alerting Incident box on the Actions tab of the rule form, the Correlation Manager generates an alerting incident. If this box is unchecked, the Correlation Manager generates a security incident. You can also set the incident type manually.
Information Manager provides the analyst with recommended actions to be completed, including remediation options that are associated with the incident type. A history log tracks any changes to the incident and lets the analyst note important facts.