Assigning alerts to analysts

As a work item, an alert can be assigned to a SOC analyst or to a user group for inspection and possible investigation. You can assign alerts to a user group if you want to automatically assign alerts to analysts within the selected group. For details, refer to Configuring the automatic assignment of alerts and incidents.

You can change the assignee of an active alert at any time. You cannot change an assignee of a closed alert.

Alerts can be assigned only to analysts and user groups who have the access right to read and modify alerts and incidents.

To assign one or several alerts:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. Select the check boxes next to the alerts that you want to assign.

   You must select only the alerts detected in the same tenant. Otherwise, the Assign button will be disabled.

   Alternatively, you can assign an alert to an analyst or to a user group from the alert details. To open the alert details, click the link with the alert ID you need.

3. Click the Assign button.
4. In the Assign to analyst window that opens, select whether to assign the alerts to a user or a user group.
5. Start typing the name of an analyst or a user group, and then select the assignee from the list.

   If you want to unassign alerts, select Not assigned.

   You can select Not assigned for all alerts, except alerts with the Closed status.

6. Click the Assign button.

Alerts are assigned.

You also can assign an alert by using playbooks.

See also: About alerts Viewing the alert table Changing an alert status

Page top