Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

List of Incidents created for a source IP

Created: 11 Mar 2013 | 2 comments

Hi,

Can someone please help me create a SSIM query to list all incidents created for a given source IP...

Thanks.

Comments 2 CommentsJump to latest comment

olaf's picture

You would need to run a Advanced SQL query for that.

Example:
SELECT a.source_ip, b.incident_id, b.incident_code FROM SYMCMGMT.SYMC_IMR_ASSOCIATED_EVENT_VIEW a join symcmgmt.SYMC_IMR_INCIDENT_LIST_VIEW b on a.incident_id=b.incident_id where b.disposition_id=3 and source_ip='10.6.6.20' group by a.source_ip,b.incident_id,b.incident_code

This would list all the incidents (opened and closed), which contain an event with source IP 10.6.6.20.

Just to be clear, an Incident can have multiple source IP's. That means the events which triggered the incident can actually have a different source IP's as origin.

olaf's picture

it is probably better to return the reference_num instead of the incident_id, as the reference_num can be found in the SSIm Console when looking at Incidents in the Incidents view.

SELECT a.source_ip, b.reference_num, b.incident_code FROM SYMCMGMT.SYMC_IMR_ASSOCIATED_EVENT_VIEW a join symcmgmt.SYMC_IMR_INCIDENT_LIST_VIEW b on a.incident_id=b.incident_id where b.disposition_id=3 and source_ip='10.6.6.20' group by a.source_ip,b.reference_num,b.incident_code