Create Actions for Incidents
To perform an incident response task, you can create and associate an action with an incident. You can also associate an action with a specific incident response phase. For example, during the Containment phase, if you want to block an IP address, you can create an action and assign a security analyst to block the IP address. To view the actions that are already associated with an incident, go to Actions on the left. You can view the associated actions under the following sections:
All: Displays all the actions associated with the incident.
Incident Phases: Displays the actions that are mapped to the respective incident phases.
Note
The phases that appear on Actions depend on the incident workflow being used by an incident.
To create and associate an action with an incident, do the following:
Open an incident and select Actions on the left.
Do one of the following:
To create and associate the action with a specific phase, select the phase tab.
To create a generic action, select All.
On the top-right corner, click Add Action.
Enter the action details. For more information, see Create Action.
Click Submit.
Change Associated Phase of an Action
You can move an action that is associated with a phase to another phase. For example, if an action is associated with the Containment phase, but must be performed during the Eradication phase, then move the action to the Eradication phase.
Note
Mapped actions that are created by the system using action templates cannot be moved from one phase to another.
To change the phase of an action, do the following:
Open an incident and select Actions on the left.
Go to a phase and select an action.
On the top-right corner, click Change Phase.
Select a phase to which you want to move the action.
On the confirmation message, click Yes, Proceed.