We're trying to figure out the best way to use the Alarms dashboard. We're unable to figure out how to use the 'Alarms' in a way that allows us apply basic SOC workflow functions.
We know we can create a case easily from here, but what we cannot figure out is how/where the analyst is supposed to manage and disposition the alarm. I don't see any place to disposition or dismiss the alarm. Or to add any type of notes to the alarm. I also dont see a way to associate or collapse multiple alarms into one.
I don't think it's realistic to move all alarms into a case management system. Is there something that I'm missing here?
no, your not missing nothing.
theirs' no option of leaving notes etc. on the Alarms...
i posted a idea for that in the McAfee Ideas Site, but they just closed it...
sadly, no option.
Best Regards👍👍👍
David.
The case management inside the SIEM is pretty terrible, it was clearly added as an after though.
Most alarms that I make are basically just "auto-acknowledged" and tied to some event, such as emailing, adding things to watchlists, etc...
You might want to try to do an integration to a ticketing system to really track things a little better.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA