¶ Overview
There are three states that a cluster can be in; New, Investigation and Archive. The first two states are designed to used whilst a cluster is being reviewed. By marking a cluster as under investigation a user can, in conjunction with user assignment, convey to other system users that they are currently working on the specified cluster.
The final, archive, state signifies that a cluster requires no further action. This could be because you are sure that the correlated alerts were all false positives, the activity causing the alerts was blocked by your security tools, or you have taken the appropriate actions.
¶ How to set cluster status
There are two mechanisms to change the status of a cluster; in the workbench or whilst viewing the cluster itself. You can see the status of clusters at a glance in the workbench.
¶ Setting the status of a single cluster
-
To change the status to New or Invesitgation select the appropriate status from the cluster header. The status will automatically save once selected, or revert back if not successful.
-
Selecting archive at the top right of the workbench header will display a popup that provides fields required to archive the cluster; a reason and description. A reason is mandatory but teams may use the description field to hold details of their investigation.
- Click the send to archive button to apply the status change to the selected cluster.
- The archiving action is not final. A cluster can be un-archived by searching for a status of "Archived" in the workbench as selecting the cluster.
If SOC.OS recognises any related alerts at a later date, previously archived clusters will be reinstated and correlated. We'll keep hold of your archive history and any additional details you added.
¶ Bulk archiving clusters
- Perform a search which results in a set of clusters that contains only those you wish to archive.
- Select the archive button on the workbench page.
- Select the desired reason and, again optionally, the description.
- Click the send to archive button to apply the status change to the selected cluster.
Bulk archiving from the workbench will archive everything selected by the current query.