Assigning incidents to analysts

As a work item, an incident must be assigned to a SOC analyst or to a user group for inspection and possible investigation. You can assign incidents to a user group if you want to automatically assign incidents to analysts within the selected group. For details, refer to Configuring the automatic assignment of alerts and incidents.

You can change the assignee of an incident at any time.

Incidents can be assigned only to analysts and user groups who have the access right to read and modify alerts and incidents.

To assign one or several incidents:

1. In the main menu, go to Monitoring & reporting → Incidents.
2. Select the check boxes next to the incidents that you want to assign.

   You must select only the incidents detected in the same tenant. Otherwise, the Assign to me and Assign buttons will be disabled.

   Alternatively, you can assign an incident to an analyst or to a user group from the incident details. To open the incident details, click the link with the incident ID.

3. Do one of the following:
   • To assign the incidents to you, click the Assign to me button.
   • To assign the incidents to other analyst or user group:
     1. Click the Assign button.
     2. In the Assign window that opens, select whether to assign the incidents to a user or a user group.
     3. Start typing the name of an analyst or a user group, and then select the assignee from the list.
     4. Click the Assign button.

   If you want to unassign incidents, select Not assigned.

Incidents are assigned.

You also can assign an incident to an analyst by using playbooks.

See also: About incidents Changing an incident status Changing an incident priority

Page top