For our customer we currently have several alerts implemented. The customer has a rather small security team only interested in receiving email notification whenever an incident is triggered. So, the build in management incident of LogPoint is not used and all and i delete all open cases on a regular basis.
However, for auditing reasons, for some incidents posing a major risk they would now like the security personal to use the incident management system by LogPoint and want them to resolve the cases there. All other incidents should, if possible, not be visible to them.
Right now, i would assign these high risk alerts to the security personal so that are able to read and resolve them within LogPoint. Incidents with a lower risk would be assigned to me or a dummy group, and i would continue to regularly delete them manually.
But i am wondering whether there is a better way: Does triggering an alert automatically have to create an incident, or is it possible to configure that only alerts with a specific risk level create incidents ?
Also, is there a way to automatically close and resolve open incidents so i do not have to do this manually anmore.