Skip to main content

For our customer we currently have several alerts implemented. The customer has a rather small security team only interested in receiving email notification whenever an incident is triggered. So, the build in management incident of LogPoint is not used and all and i delete all open cases on a regular basis.

However, for auditing reasons, for some incidents posing a major risk they would now like the security personal to use the incident management system by LogPoint and want them to resolve the cases there. All other incidents should, if possible, not be visible to them.

 

Right now, i would assign these high risk alerts to the security personal so that are able to read and resolve them within LogPoint. Incidents with a lower risk would be assigned to me or a dummy group, and i would continue to regularly delete them manually.

 

But i am wondering whether there is a better way: Does triggering an alert automatically have to create an incident, or is it possible to configure that only alerts with a specific risk level create incidents ?

 

Also, is there a way to automatically close and resolve open incidents so i do not have to do this manually anmore.

 

Regards

   Andre

 

 

Whenever an alert rule is triggered, an incident is created - the two things are really the same, “triggering” is essentially creating the incident.

Two ideas:

  • Have the incidents to be investigated set to “high” risk in Logpoint and tell people to filter on only those - that can’t be defaulted or enforced though
  • Use SOAR playbooks to use the Logpoint Case Management API to close off any triggered incident again that don’t have the right (high) risk level

The latter is obviously more complicated…


Reply