Symantec 10268947 User Guide - Page 99

Incidents and Events 99 Monitoring events 6 In Node List, do one of the following: ■ In Show Incidents from Node #, click 1 from the pull-down list to show only incidents from the selected software or appliance node, or All (except standby) to view incidents from all the software or appliance nodes within the topology excluding standby nodes. ■ Click Include Backup Nodes to preserve incidents during a failover scenario. 7 In Incident Hours, do one of the following: ■ In Maximum Incident Hours to Display, enter a value to limit the total number of hours. ■ In Maximum Incidents Within Incident Hours, enter a value to limit the total number of incidents within the hour limit. 8 Click Apply to save and exit. See the following for related information: ■ See "Marking incidents as viewed" on page 95. Monitoring events An incident is a possible attack composed of multiple related events. When the sensor detects a suspicious event, it correlates the event to an incident containing related events. Event types are group names for one or more base events. Incidents consist of one or more event types, and event types consist of one or more base events. The Network Security console displays event data in the lower pane below the Incident table. With any account, you can annotate events and mark incidents to improve incident tracking, management, assignment, and response to enterprise threats. Viewing event data The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident. In the upper pane, information about each incident is displayed. View the event data that is specific to a particular incident by clicking the respective incident row. The related event information is then displayed in the lower pane. To view event data 1 In the Incidents tab, click an incident row. 2 Related events are displayed in the lower Events at Selected Incident pane.