If the SOC analysts determine there's a threat in an organization’s environment, an incident is created or an investigation is promoted to an Incident.
Incidents are similar to investigations in that they include investigative actions and have a similar look and feel. Incidents, however, include findings. These are the details to the common questions:
What is it?
Where is it?
When did it get here?
How did it get here?
Incidents can also include remediation and resilience actions.