You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>UserGuide>AlarmManagement>TakingOwnershipOfAnAlarm (25 Apr 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSM™

Taking Ownership of an Alarm

As part of an alarm remediation response, you should take ownership of an alarm you want to work on. This tells others that you are actively investigating it. This avoids duplication of efforts.

To take ownership of an alarm

  1. From Analysis > Alarms > Group View, locate an alarm you want to investigate.

  2. Take ownership of the alarm by clicking Take, under the Owner column within its row.

    The Owner status now changes from Take to Release, signifying that you now have responsibility for the alarm group.

  3. Select the checkbox at the front of the alarm row.

    The following two buttons now appear in the UI above the Description, Status, and Action columns:

    • Close Selected
    • Delete Selected

      Note: Do not click either of these at this time.

      The ticket icon under the Action column now also becomes active.

  4. Under Description, type a reason for the action you want to take:

    • Open a ticket — Under Action, click the ticket icon to open a new ticket on the selected alarm group.

      The New Ticket dialog box appears. See Create a Ticket.

    • Close or Delete an alarm — Select the appropriate action; confirm it when prompted.

      • Close means an alarm still resides in the database. It does not, however, display in the web interface.
      • Delete means that you want to delete the alarm from the database.
You might close an alarm that you know is a false positive. An example of a false positive might be if instant messaging triggered an alarm, but your corporate security policy allows instant messaging. You should then create a policy to make sure that Sheriff CSM does not notify you about such events in the future. See Tutorial: Create a Policy to Discard Events.
 
After that, you may want to delete all occurrences of this alarm from the SIEM.
 
The choice about whether to close or delete an alarm depends on your corporate compliance policy. If alarm retention is not a priority, you should delete them to save disk space.
 
Sheriff Vigilante Limitations: Alarms in Sheriff Vigilante lack the built-in context provided in Sheriff CSM. The work compiled by the AT&T Alien Labs™ Security Research Team to analyze and validate OTX threat data is available in both Sheriff CSM and Sheriff Vigilante.
Edit  | Attach | Print version | History: r9 < r8 < r7 < r6 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r9 - 25 Apr 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.