About incident management

Symantec Security Information Manager facilitates efficient and appropriate management of security incidents and alerting (nonsecurity) incidents. An incident is derived from one or more events that are logged in the event database.

For example, when a firewall-down event occurs, an alerting incident could be generated. A security incident might be created when an internal port sweep event occurs. The term "incidents" includes both security incidents and alerting incidents.

Incident management begins when an incident is created. Information Manager provides two methods of incident creation:

When you create a custom rule on the Rules page, you can specify the type of incident that the rule will generate. If you check the Alerting Incident box on the Actions tab of the rule form, the Correlation Manager generates an alerting incident. If this box is unchecked, the Correlation Manager generates a security incident. You can also set the incident type manually.

See the Symantec Security Information Manager Administrator's Guide for information about creating custom rules.

After an event or group of events is selected and identified as an incident, the incident is assigned to an analyst for investigation and resolution.

Information Manager provides the analyst with recommended actions to be completed, including remediation options that are associated with the incident type. A history log tracks any changes to the incident and lets the analyst note important facts.