We're trying to figure out the best way to use the Alarms dashboard. We're unable to figure out how to use the 'Alarms' in a way that allows us apply basic SOC workflow functions.
We know we can create a case easily from here, but what we cannot figure out is how/where the analyst is supposed to manage and disposition the alarm. I don't see any place to disposition or dismiss the alarm. Or to add any type of notes to the alarm. I also dont see a way to associate or collapse multiple alarms into one.
I don't think it's realistic to move all alarms into a case management system. Is there something that I'm missing here?
no, your not missing nothing.
theirs' no option of leaving notes etc. on the Alarms...
i posted a idea for that in the McAfee Ideas Site, but they just closed it...
sadly, no option.
The case management inside the SIEM is pretty terrible, it was clearly added as an after though.
Most alarms that I make are basically just "auto-acknowledged" and tied to some event, such as emailing, adding things to watchlists, etc...
You might want to try to do an integration to a ticketing system to really track things a little better.