Forum Discussion

Deleted's avatar
Deleted
Jun 03, 2021

Granular Automated Investigation/Remediation configuration

We have the option for Automatically resolving alerts (Resolves an alert if Automated investigation finds no threats or has successfully remediated all malicious artifacts.) enabled, which affects custom alerts too. This is not always desirable as the logic of custom rules can be of such nature that no artifacts exist that could be investigated by automation, thus no threats are found and alert resolved automatically.

 

It would be great if Automated investigation/remediation could be set per alert types and especially custom alerts in a similar way it's configured for device groups. For instance:

Alert source = AV --> Apply automated investigation and resolve alert if no threats found or remediated

Alert source = EDR --> Apply automated investigation and keep alert open for analyst review even if no threats are found

Alert source = custom alert --> Do not apply automated investigation at all

Resources