There are three states that a cluster can be in; New, Investigation and Archive. The first two states are designed to used whilst a cluster is being reviewed. By marking a cluster as under investigation a user can, in conjunction with user assignment, convey to other system users that they are currently working on the specified cluster.
The final, archive, state signifies that a cluster requires no further action. This could be because you are sure that the correlated alerts were all false positives, the activity causing the alerts was blocked by your security tools, or you have taken the appropriate actions.
There are two mechanisms to change the status of a cluster; in the workbench or whilst viewing the cluster itself. You can see the status of clusters at a glance in the workbench.
To change the status to New or Invesitgation select the appropriate status from the cluster header. The status will automatically save once selected, or revert back if not successful.
Selecting archive at the top right of the workbench header will display a popup that provides fields required to archive the cluster; a reason and description. A reason is mandatory but teams may use the description field to hold details of their investigation.
If SOC.OS recognises any related alerts at a later date, previously archived clusters will be reinstated and correlated. We'll keep hold of your archive history and any additional details you added.
Bulk archiving from the workbench will archive everything selected by the current query.