Improved Alert Workflows
We’ve improved the ways you can work with alerts in Early access and promote alerts in global threat alerts to the SecureX incident manager.
To enjoy the benefits of integrating with SecureX incident manager, enable SecureX integration in the Application Settings of the global threat alerts console:
In the header of the global threat alerts console, click Early access to enable it:
Once Early access is enabled, alerts are categorized as New, Open, or Closed:
A New alert status can be changed using the Open or Close button:
While global threat alerts continues to focus on its core competencies, such as extended detections and efficient alert triage, it now integrates more tightly with the SecureX ecosystem, using just one click to promote detections to the incident response workflow in SecureX.
When an alert is opened, you have the option to:
-
Open and link the alert to a new incident
-
Open and link the alert to an existing incident
-
Open only
In the SecureX incident manager, the incident contains details such as a Summary and all the security Events and Observables from the original alert. You can then investigate and respond further, using SecureX features such as investigation, enrichment, and orchestration.
When it's undesirable to promote an alert as an incident, you can still Open only and track the work only on the global threat alerts console.
In both cases you can Close alerts when you're done with them. When closing an alert, pick from a new set of predefined Closing reasons or provide your own:
When closing an alert, you can close it as useful or not useful. You can also provide additional feedback about the alert to the team at Cisco; your valuable feedback helps us improve future detections.
Closing reasons will be recorded as part of the alert for future reference:
Closed alerts can be opened. Re-opening an alert will remove all its closing reasons. It will also remove any references to previously linked SecureX incidents. However, you can choose to link the alert again, even to the same SecureX incident as before.