Skip to main content


Adds new events to an existing NetWitness SA incident.

Script Data#

Script Typepython
TagsRSA NetWitness Security Analytics


This script uses the following commands and scripts.

  • nw-add-events-to-incident


Argument NameDescription
incidentIdThe existing incident ID. (string)
eventListThe list of event IDs separated by a comma (,), this must not include spaces in it. In order to get list of events you can use nw-get-events. For example, "23,12,3". (array of strings)
alertSummaryThe short summary of the alert that will be attached to incident. (string)
severityThe severity of the incident. For example, 50. (number)
deviceIdThe ID of the device/component. For example, Concentrator, Log Decoder, Packet Decoder, etc... from which the events are. The list of devices can be viewed by executing the command nw-get-components. (number)
incidentManagementIdThe ID of the NetWitness INCIDENT_MANAGEMENT device/component ID. It can be received by running nw-get-component command. If this argument is not filled/passed, the script will automatically get the first device of type INCIDENT_MANAGEMENT from the SA server. (optional number)


There are no outputs for this script.