What is the assignment workflow enhancement?
The assignment workflow enhancement is meant to better capture the events of investigations and provide metrics to organizations about the efficiency of their security team. This assignment workflow will collect metrics that will affect reporting that is due to release within the next month.
How do the new assignments work?
The assignment feature remains relatively unchanged however, you now need to explicitly close an assignment with an outcome. This is a natural extension of the workflow that analysts take during an investigation. Out of the box there will be the option to close out with three outcomes: Malicious True Positive, Benign True Positive, and False Positive. The explanation of these outcomes is below. Since picking the right outcome at the end of an investigation is crucial for getting the right insights for reporting, understanding what each of these outcomes represents will help analyst select the appropriate outcome when resolving and outcome.
Malicious True Positive
A Malicious True Positive event is an event that is categorized by the Vectra system to be a potential threat and is found to be actual threat. This could be an entity that was flagged as ransomware and during an investigation was found to be compromised.
Benign True Positive
A Benign True Positive event is one where the behavior was correctly identified by the Vectra System however the behavior was allowed. For example, this can be Shadow IT or Red Team behavior. Most of our alerts will fall into this category.
A False Positive event is an event that the Vectra system completely mislabeled. This is an infrequent occurrence within the system and should be used sparingly.
Creating an assignment
The first step in the new workflow is to create an assignment. Currently there are only assignments on Hosts and Accounts. This also means that we have removed assignments from detections. If you want to assign detections, you will have to assign the host or account associated with that detection.
You can see the Assigned User box where you can click on the drop down which will display all the users that you can assign the entity to.
Once you select which user to assign the entity to, select the blue checkmark to complete the assignment. To make sure the assignment went through, make sure the assignment box will change to show who has been assigned to the entity and by whom.
When an assignment has been created, all detections within the entity will also be assigned to the user. Any new detections that come in while there is an active assignment on the entity will also be assigned to the user.
Investigating an Entity
This part of the workflow remains untouched. Once a user has been assigned to an entity, they can continue their normal workflow for investigations.
Reassigning an Entity
The reassignment workflow remains unchanged. To reassign an entity the user must select the pencil icon in the assignment modal.
This is open up the assignment and allow you to choose which user to reassign the entity to. From here, the workflow remains the same as above. This reassignment is captured and will be reflected in reporting.
Removing an assignment
The deletion of an assignment is as simple as selecting the trash can icon in the assignment modal. This will remove the assignment as well as any history of the assignment.
Closing an assignment
Once the user is done with their investigation, they now have to close out their assignment by providing an outcome. To start the closing, first the user must select the check mark in the assignment modal.
Selecting this button will open a new modal.
From here the user can choose which outcome to label this investigation. The choices of outcomes can be found above. The analyst can also choose to add resolution notes when resolving an assignment. These resolution notes will only appear in the reports. We have also introduced optimizations depending on the outcome chosen. If the outcome is Malicious True Positive, then we allow for the ability to mark all open detections with “Mark As Fixed”.
If the outcome is Benign True Positive, we allow for resolving all open detections with a custom triage filter.
After choosing the outcome, selecting the resolve button will close out the assignment. This outcome is recorded within Vectra to be used for reporting. The system will also record different aspects of the entity like detections, tags, etc. which will also show up in the reports.
With this resolution, the host is now open to being assigned if new detections come in or if there is another investigation.
Are there plans to reintroduce assignments on detections?
We do not currently have any plans on reintroducing assignments on detections.
Can I see previous assignments?
Currently we do not allow you to see assignment histories in the UI however, this information is available via API. We do have plans to introduce assignment histories in the future into the UI so analyst can see all the investigations done on that entity in the past.
Is there API support?
You can work with this workflow via API. The guide can be found under Resources > API Guide.
Can I get assignments working with my current ticketing system?
We do not have any integrations with ticketing systems however we do plan on working with them in the future. The new API assignments does allow for a script-based integration with different ticketing systems. If you need an integration, please reach out to the Vectra team.