¶ Overview
Each cluster is a grouping of alerts, for the full explanation please see cluster. As the central investigation point for an analyst, events affecting a cluster can be found in the activity timeline, including the addition of alerts.
The timeline provides a list of all key activities including whether the cluster has previously been investigated and if it has been unarchived due to the addition of an alert. Where there are a significant number of similar events a grouping takes places to make the timeline clearer.
¶ Navigation
The activity timeline can be found on the left hand pane, in the cluster overview panel.
¶ Key tiles
There are a number of different tiles that may be presented.
¶ Correlation
Each time an alert is added to the cluster a tile is displayed recording the addition.
If a number of alerts are correlated that share the same details then a single, expandable tile is shown. Selecting the expand arrow allows you to scroll through each alert in the grouping.
When another cluster has been merged into the cluster being viewed the merge tile displays the detail and allows you to navigate to the child cluster.
If the cluster being viewed has been merged into another cluster the merged tile displays the detail and again allows you to navigate to the parent cluster.
¶ Scoring
Three different scoring tiles may be displayed. The first of these displays the first score attributed to the cluster and the following tiles show when and how the score changes given the addition of new alerts to the cluster.
¶ Workflow
Basic workflow changes are displayed such as title changes, assignment to a user and priority changes.
¶ How to add a note to a cluster
You are able to add notes to a cluster from within the Activity Timeline tab contained within the left-hand panel of a cluster. The notes feature is designed for easier cross-team collaboration, and is an effective tool for teaching team members how to handle a given situation.
1. Click the notes icon, located in the top right of the activity timeline:
2. Next, populate the ‘note’ field taking care not to add any personal data. The ‘Title’ field is optional, but useful in providing a high-level overview to your team:
The ‘Save’ button will activate when the ‘Note’ field detects input (required field).
3. Once the note is complete, click the ‘Save’ button and hit refresh. Your note is now published in the activity timeline, visible to all of your team members:
¶ Edit or delete note
Notes cannot be edited or deleted at this time.
Contact the SOC.OS Team at support@socos.io if you'd like us to get a move on implementing this feature.