Assigning alerts to analysts

As a work item, an alert can be assigned to an SOC analyst for inspection and possible investigation. You can change the assignee of an active alert at any time. You cannot change an assignee of a closed alert.

Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.

To assign one or several alerts to an analyst:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. Select the check boxes next to the alerts that you want to assign to an analyst.

   You must select only the alerts detected in the same tenant. Otherwise, the Assign to button will be disabled.

   Alternatively, you can assign an alert to an analyst from the alert details. To open the alert details, click the link with the alert ID you need.

3. Click the Assign to button.
4. In the Assign to analyst window that opens, start typing the analyst's name or email address, and then select the analyst from the list.

   You can also select the Not assigned option for all alerts, except alerts with the Closed status.

5. Click the Assign button.

The alerts are assigned to the analyst.

You also can assign an alert to an analyst by using playbooks.

See also: About alerts Viewing the alert table Changing an alert status

Page top