UpPrevious Next
Sheriff CSM™
Taking Ownership of an Alarm
As part of an alarm remediation response, you should take ownership of an alarm you want to work on. This tells others that you are actively investigating it. This avoids duplication of efforts.
To take ownership of an alarm
-
From Analysis > Alarms > Group View, locate an alarm you want to investigate.
-
Take ownership of the alarm by clicking Take, under the Owner column within its row.
The Owner status now changes from Take to Release, signifying that you now have responsibility for the alarm group.
-
Select the checkbox at the front of the alarm row.
The following two buttons now appear in the UI above the Description, Status, and Action columns:
-
Under Description, type a reason for the action you want to take:
You might close an alarm that you know is a false positive. An example of a false positive might be if instant messaging triggered an alarm, but your corporate security policy allows instant messaging. You should then create a policy to make sure that Sheriff CSM does not notify you about such events in the future. See
Tutorial: Create a Policy to Discard Events.
After that, you may want to delete all occurrences of this alarm from the SIEM.
The choice about whether to close or delete an alarm depends on your corporate compliance policy. If alarm retention is not a priority, you should delete them to save disk space.
Sheriff Vigilante Limitations: Alarms in Sheriff Vigilante lack the built-in context provided in Sheriff CSM. The work compiled by the AT&T Alien Labs™ Security Research Team to analyze and validate OTX threat data is available in both Sheriff CSM and Sheriff Vigilante.