Event Tickets

Working with Event Tickets

An Event Ticket is a work ticket for a Correlated Event (see How does Event Correlation work?). If a Correlation Rule has an Event-Management Database as an Output, and the rule's Ticket tab has been configured in the Settings panel, the Correlation Engine creates an Event Ticket whenever the rule saves a Correlated Event in the database. You can also create Event Tickets in the Event-Database Viewer. For more information, see:

Defining a Correlation Rule

Working with the Event-Database Viewer

In the Ticket Center, you can create new Event Tickets and review existing tickets. In the properties of an Event Ticket, you can enter notes about the ticket's Correlated Event, such as updates on any related work performed.

To run a report for an Event Ticket, see Generating an Event-Ticket Report.

To assign an Event Ticket to an Event or Host in the Event-Database Viewer, see Working with Event Tickets in the Event-Database Viewer.

To view, create, change, or delete Event Tickets:

In the side bar, select Resources >

Ticket Center.

In the workspace table, TLC lists all of the Event Tickets in your TLC environment. Each column represents a field in the properties of Event Tickets (see Table 105).

Tip	You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

Tip	To add and/or remove columns, click the Field Chooser button in the upper-left corner of the main pane.

The Ticket Center provides a number of ways to filter the Event Tickets in the main pane.

To limit the main pane to tickets with an open or closed status, select Open or Closed from the Display Filter drop-down.

To limit the main pane to tickets that have a specific value for a field, expand the Tickets group in the side bar to display sub-groups that represent Event Ticket fields. Expand the field's sub-group and select the value. For example, to display all Event Tickets for which the Administrator account is currently the user to whom the ticket is assigned, expand the Assigned User sub-group and select the Administrator account.

To further modify the appearance and contents of the table in the main pane:

From the Time Filter drop-down, select a time period to filter the displayed items.

To change the table's columns, or to filter the table based on column values, see Working with Tables.

To create a new Event Ticket:

Click

Create.

In the Ticket tab, complete the standard fields (see Table 105).

Complete the tabs in the Ticket tab (see Table 106) and click Save & Close.

To modify an existing Event Ticket:

In the workspace, double-click the ticket.

As needed, edit the Ticket tab and click Save & Close.

To generate a report for an Event Ticket, select the ticket in the workspace and click Open Ticket in Report Generate Report for selected ticket.

To delete an Event Ticket:

In the workspace, select the ticket(s) and click Delete

Delete selected tickets.

In the confirmation dialog, click Yes.

Tips	You can also run a report for the Event Ticket by double-clicking the ticket in the main pane, and then clicking View Report in the Ticket tab. Since TLC experiences performance degradation when the total number of Event Tickets and notifications exceeds 5,000, Tripwire recommends that you monitor the number of tickets and notifications in your TLC environment. For more information about notifications, see Working with Notifications.

Tips

You can also run a report for the Event Ticket by double-clicking the ticket in the main pane, and then clicking View Report in the Ticket tab.

Since TLC experiences performance degradation when the total number of Event Tickets and notifications exceeds 5,000, Tripwire recommends that you monitor the number of tickets and notifications in your TLC environment. For more information about notifications, see Working with Notifications.

Table 105. Standard fields in the Event Ticket properties dialog
Field	Description
Name	The name of the Event Ticket.
Closed	To close the ticket, select this check box.
Priority	The severity of the ticket's Correlated Event.
Assigned User	The user currently assigned to the ticket.
Assigned Group	(Optional) Limits access to the ticket to a specific user group.
Ticket Group	The group to which the ticket belongs. To create a Ticket Group, see Working with Global Event-Ticket Settings.
Category	A classification for the type of event documented by the ticket.
Status	The current status of the ticket. New indicates a newly created ticket. To open a new ticket, select Open. If you are the person responsible for working on the ticket, or the person who will delegate the ticket to others, select Acknowledged to indicate that you are aware of the ticket. To begin work on the ticket, select In Progress. Upon completion of your work, select Closed. At any time, you can suspend the ticket by assigning a Status of Pending or On Hold.
Created by	The user or Correlation Engine that created the ticket.
Modified by	The last user to change the properties of the ticket.
Available to all Users	If enabled, all users can work with the ticket. Otherwise, only users in the Assigned Group can work with the ticket.
Date created	The time and date when the ticket was created.
Date updated	The time and date when the ticket's properties were last changed.

Table 106. Tabs in the Event Ticket properties dialog
Tab	Description
Description	A description of the Event Ticket.
Notes	Notes about any past, ongoing, or future work related to the event represented by the ticket. To add a Note: 1. ClickAdd. 2. In the Note dialog, enter the text of the Note. 3. (Optional) To prevent other users from viewing the Note, select Private Note. 4. Click Save & Close. To edit a Note: 1. Double-click the Note. 2. In the Note dialog, edit the text of the Note and click Save & Close. To delete one or more Notes: 1. Select the Note(s) and clickDelete. 2. In the confirmation dialog, click Yes.
Related Items	Events, Hosts, and other items associated with the Event Ticket. To add a Related Item: 1. ClickAdd. 2. In the Add Related Item dialog, enter the ID for the item in the Unique Item ID field and click Look Up. Tip: To locate the item's ID, open the properties dialog for the item. For example, for the ID of an Event, open the Event in the Event-Database Viewer (see Working with the Event-Database Viewer). 3. Click Save & Close. To view the properties of a Related Item, clickView Related Item. To delete a Related Item: 1. Select the item and clickDelete. 2. In the confirmation dialog, click Yes.
Related Tickets	Other Event Tickets for Correlated Events that may be related to the event represented by this ticket. To add a ticket: 1. ClickAdd. 2. In the Related Tickets dialog, select a Correlated Event field from the In drop-down. For field descriptions, click here. 3. In the Search For field, enter a search string or select a value from the drop-down. 4. (Optional) To include closed Event Tickets in the search, select Show Closed. 5. Click Search. 6. Select the Event Tickets to be added and enter a Description of their relationship to this Event Ticket. 7. Click Save & Close. To edit the description of an Event Ticket's relationship to this ticket: 1. Double-click the ticket. 2. In the Edit Related Ticket dialog, edit the Description and click Save & Close. To remove one or more Event Tickets from this ticket: 1. Select the ticket(s) and clickDelete. 2. In the confirmation dialog, click Yes. To open an Event Ticket in a Ticket tab, clickView Related Ticket.
IP Tags	IP Tags for the Event Ticket. For more information, see Working with IP Tags.
Event References	Event references are used to gather more information about Events. For example, if the ticket is associated with an IDS Event, you can enter the URL of a Web site that provides details about IDS Events in the Reference Type field and click Get Details. TLC then presents any related information gathered from the Web site.