An incident is created when one or more interesting events are sent from the Canary to its console.
The incident is therefore a collection of similar events, correlated together if:
- the Source IP address is the same
- the Canary service is the same
- if the events occur within a small timeframe of each other
If ALL of the above criteria apply to multiple events, these events are correlated into a single incident.
Each incident will generate a single alert, dependent on the alerting mechanism set up in the console.
In order to acknowledge an event, click on the button labelled "Acknowledge"
You can also acknowledge an alert by clicking the eye icon next to it, as shown in the image below.
The incident has now been acknowledged, but will still be stored within the console's database.
To access the alert again, do the following:
- Under the Alerts tab at the top right corner click on Filter Incidents.
- Click on Acknowledged Alerts.
You will then be able to see all of of the alerts you have previously acknowledged.
Should you wish to remove the incident from the console entirely, you can select the alert you wish to delete and click on the "Delete Incident" button.
Clicking on the eye icon would mark the incident as "Unacknowledged".
Note: An incident must be marked as acknowledged before it can be deleted.