An incident is created when one or more interesting events are sent from the Canary to its console.
The incident is therefore a collection of similar events, correlated together if:
- the Source IP address is the same
- the Canary service is the same
- if the events occur within a small timeframe of each other
If ALL of the above criteria apply to multiple events, these events are correlated into a single incident.
Each incident will generate a single alert, dependent on the alerting mechanism set up in the console.
In order to acknowledge an event, click on the button labelled "Mark as seen"
The incident has now been acknowledged, but will still be stored within the console's database.
Clicking on the Canary will show incidents which have already been marked as "seen"
Should you wish to remove the incident from the console entirely, you can either do so when initially marking the incident as seen:
... or by clicking on a Canary with seen incidents, and clicking on the trash can (ALL) icon OR by clicking on the trash can icon next to a specific event:
Clicking on the eye icon would mark the incident as "unseen". An incident must be marked as seen before it can be deleted (the trash can icon will not show next to unseen incidents)
