Viewing response history

The Response history section allows you to view the detailed response history for all detected alerts and incidents. Note that if an alert or incident is deleted, the response history for this alert or incident is not displayed.

To view a response history, you must have one of the following roles: Main administrator, Tier 1 analyst, Tier 2 analyst, SOC manager, Approver, Auditor, Tenant administrator.

To view a response history, in the main menu, go to Monitoring & reporting → Response history. The table that contains the response history for all alerts and incidents opens.

By default, the table is sorted according to the time the playbook or response action was launched. The response actions in the playbooks are sorted according to their order in the playbook algorithm.

The toolbar in the upper part of the table allows you group and filter the data in the table as follows:

• Click the settings icon (), and then select the columns to be displayed in the table.
• Click the filter icon (), and then specify and apply the filter criterion in the invoked menu.

  When you apply the filter criterion for the Action status column, the table displays the manually launched responses whose status contains the selected value and the playbooks that include the response actions whose status contains the selected value. It means that only the response actions of the playbook that meet the filter criterion will be displayed.

Table search is available for all columns except Action status and Playbook status. To filter data in these columns, click the column header and select the required status from the drop-down list.

The table contains the following columns:

• Actions. Response action or playbook name.
• Response parameters. Response action parameters that are specified in the response action or playbook algorithm.
• Start. Date and time the playbook or response action was launched.
• End. Date and time the playbook or response action was completed.
• Alert or incident ID. ID that contains a link to the alert or incident details.
• Launched by. Name of the user who launched the playbook or response action.
• Action status. Execution status of the response action. The following values can be shown in this column:
  • Awaiting approval—Response action awaiting approval for launch.
  • In progress—Response action is in progress.
  • Success—Response action is completed without errors or warnings.
  • Warning—Response action is completed with warnings.
  • Error—Response action is completed with errors.
  • Terminated—Response action is completed because the user interrupted the execution.
  • Approval time expired—Response action is completed because the approval time for the launch has expired.
  • Rejected—Response action is completed because the user rejected the launch.
• Playbook status. Execution status of the playbook. The following values can be shown in this column:
  • Awaiting approval—Playbook awaiting approval for launch.
  • In progress—Playbook is in progress.
  • Success—Playbook is completed without errors or warnings.
  • Warning—Playbook is completed with warnings.
  • Error—Playbook is completed with errors.
  • Terminated—Playbook is completed because the user interrupted the execution.
  • Approval time expired—Playbook is completed because the approval time for the launch has expired.
  • Rejected—Playbook is completed because the user rejected the launch.

  You can click the Playbook status value or the Action status value to open the window with the result of the playbook or the response action launch. The Launch ID can be used by Technical Support to download the data necessary for analysis in case of the execution errors. By default, the data is stored for 72 hours.
  If the status is In progress, you can view the Launch ID by hovering the mouse cursor over the icon next to the status.

• Assets. Number of the assets for which the playbook or response action is launched. You can click the link with the number of the assets to view the asset details. The field is empty, if the playbook or response action does not involve assets.
• Tenant. Name of the tenant to which the playbook belongs.
• Approver. Name of the user who approved or rejected the playbook or response action launch.

  By default, this column is hidden. To display the column, click the settings icon (), and then select the Approver column.

• Approval time. Date and time the playbook or response action launch was approved or rejected. This column is not displayed by default.

  By default, this column is hidden. To display the column, click the settings icon (), and then select the Approval time column.

Page top