Hello everyone!
Here's This Week's Top Question (TWTQ):
Q: How do I automatically assign incident tickets to the concerned user?
A: EventLog Analyzer's built-in incident management module allows you to manage all security incident alerts as tickets. You can assign the incident tickets to any of the product users, track their status on a central dashboard, add notes relevant to the incident resolution, and more.
You can create rules to automatically assign incident tickets to any of the product users. These rules are based on the alert profile, or device/device group which triggered the alert. To do this, go to:
Alerts > Alert Configurations (on the left menu) > Assign Rules
Click on
Add Rule
to create a new rule. Provide the required details including the rule name, the criteria, and the user to whom the incidents are to be assigned.
Once you have created a rule, all incidents matching the given criteria are automatically assigned to the selected user. In the above example, all threat feed alerts (belonging to the 'Default Threat' alert profile) or alerts raised by the Juniper firewall are assigned to the user 'operator'.
When you create more than one rule, you can even prioritize them. This way, when an alert matches more than one rule, it is assigned according to the rule of higher priority.
Let's say all threat feed alerts are to be assigned to Sarah, and alerts raised by your Juniper firewall are to be assigned to John.
Suppose a malicious IP address from a threat feed is detected on the firewall, the ticket would be assigned to Sarah, because the
Threat Feed Alerts
rule has a higher priority than the
Firewall Alerts
rule.
So go right ahead and set up rules to automatically assign tickets to relevant owners, and watch your incident management system become more streamlined!