User actions performed on alerts

When managing the application web interface using a Senior security officer or Security officer account, you can take the following actions on alerts:

• Assign an alert to yourself or to another user of the application web interface.

  You can view all alerts assigned to a specific user by filtering alerts based on the status of their processing by the user.

• Mark the alert as processed.

  You can view all alerts that have been processed by a specific user by filtering alerts based on the status of their processing by the user.

• Add a comment to an alert.

  You can find commented alerts based on keywords within comments by filtering alerts based on received information.

• Mark the alert as
  VIP

  Status of alerts with special access permissions. For example, alerts with the VIP status cannot be viewed by users with the Security officer role.

  .

  This action is available only to users with the Senior security officer role. Users with this role can view all alerts with the VIP status by filtering alerts by VIP status.

Users with the Security auditor role can view information about alerts but cannot edit this information.

Assigning alerts to a specific user

Users with the Senior security officer role can assign an alert or multiple alerts to themselves or to another user of the application web interface with the Senior security officer or Security officer role.

To assign an alert to yourself or to another user of the application web interface:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Select the check boxes next to the alert or alerts that you want to assign to yourself or to another user.

   You can select all alerts by selecting the check box in the table header.

3. In the pane that is displayed in the lower part of the window, expand the list of users by clicking on the arrow to the right of the Assign to button.
4. Select the user to whom you want to assign the alerts.

   This opens the action confirmation window. You can also leave a comment that will be displayed in the alert change history.

5. Click Proceed.

The alerts will be assigned to the selected user.

You can view all alerts assigned to a specific user by filtering alerts based on the status of their processing by the user.

Users with the Security auditor role cannot assign alerts to themselves or to other users of the application web interface. Users with the Senior security officer and Security officer roles also cannot assign alerts to users with the Security auditor role.

Users with the Senior security officer and Security officer roles, while managing an alert, can assign this alert to themselves or to another user of the application web interface with the Senior security officer or Security officer role.

To assign an alert to yourself or another user while managing the alert:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Open the alert that you want to assign to yourself or to another user of the application.

   This opens the card of the alert.

3. If you want to assign the alert to yourself, click Assign to @Me.
4. If you want to assign the alert to another user of the application, click the arrow to the right of the Assign to button and select the user to which you want to assign the alert.

The alert is assigned to the selected user.

Marking the completion of single alert processing

Users with the Security auditor role cannot assign and process alerts.

To close an individual alert in the table of alerts:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. In the State column of the alert that you want to close, click the status of the alert.
3. In the list of actions, select Close alert.

The alert is closed.

To close an alert while managing the alert:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Open the alert that you want to close.
3. In the upper-right corner of the window, click Close alert.

The alert is closed. If the alert was assigned to a different user, it is marked as processed by you.

You can view all alerts that have been processed by a specific user by filtering alerts based on the status of their processing by the user or by using the Show closed alerts toggle switch.

If an alert based on a scan using the TAA (IOA), IDS, or URL technology that is similar to a processed alert is received within the day (from 00:00 a.m. to 11:59 p.m.), the application either creates a new alert or updates the information in the identical alert with the New or In process status.

When you close an NDR alert, the aggregate event and nested NDR events associated with the alert are marked as resolved, and other alerts associated with these events are also closed. If a closed NDR alert is reopened, the associated closed NDR event is not reopened.

Marking the completion of alerts processing

Users with the Security officer role cannot perform bulk operations on alerts. Users with the Security auditor role cannot assign and process alerts.

To close one or more alerts:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Select the check boxes opposite those alerts that you want to close.

   You can select all alerts by selecting the check box in the table header.

3. In the pane that appears in the lower part of the window, click the Close alert button.

   This opens the action confirmation window.

   You can also leave a comment that will be displayed in the alert change history.

4. Click Proceed.

The selected alerts are closed. If the alerts were assigned to other users, they are marked as closed by you.

You can view all closed alerts by filtering alerts based on the status of their processing by the user or by using the Show closed alerts toggle switch.

If an alert based on a scan using the TAA (IOA), IDS, or URL technology that is similar to a processed alert is received within the day (from 00:00 a.m. to 11:59 p.m.), the application either creates a new alert or updates the information in the identical alert with the New or In process status.

When you close an NDR alert, the aggregate event and nested NDR events associated with the alert are marked as resolved, and other alerts associated with these events are also closed. If a closed NDR alert is reopened, the associated closed NDR event is not reopened.

Modifying the status of VIP alerts

Users with the Senior security officer role can assign the VIP status to alerts or clear the VIP status of alerts.

To toggle the VIP status for alerts:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Select the check boxes for alerts for which you want to change the VIP status.

   You can select all alerts by selecting the check box in the table header.

3. Do one of the following:
   • If you want to mark alerts as VIP, click the Mark as VIP button in the pane that appears in the lower part of the window.
   • If you want to remove the VIP status from alerts, in the pane that is displayed in the lower part of the window, in the Mark as VIP drop-down list, select Mark as non-VIP.

   This opens the action confirmation window.

   You can also leave a comment that will be displayed in the alert change history.

4. Click Proceed.

The VIP status of alerts is changed.

Users with the Senior security officer and Security auditor roles can view all events with the VIP status by filtering alerts by VIP status.

Adding a comment to an alert

Users with the Senior security officer and Security officer roles can add a comment to an alert.

To add a comment to an alert:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Select an alert for which you want to add a comment.

   This opens a window containing information about the alert.

3. In the comment field under the Change log section, enter a comment for the alert.
4. Click Add.

The comment will be added to the alert and will be displayed in the Change log section of this alert.

You can find commented alerts based on keywords within comments by filtering alerts based on received information.

Users with the Security auditor role can view comments for alerts but cannot edit the comments.