We're trying to figure out the best way to use the Alarms dashboard. We're unable to figure out how to use the 'Alarms' in a way that allows us apply basic SOC workflow functions.
Analysts acknowledges alarm
Analyst begins triage
Analyst decides to dismiss alarm (FP, etc) or decides to escalate (create case)
We know we can create a case easily from here, but what we cannot figure out is how/where the analyst is supposed to manage and disposition the alarm. I don't see any place to disposition or dismiss the alarm. Or to add any type of notes to the alarm. I also dont see a way to associate or collapse multiple alarms into one.
I don't think it's realistic to move all alarms into a case management system. Is there something that I'm missing here?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.