After investigating the lead, you can perform one or more of the below-mentioned actions on it.
Comment on a lead
The lead comments panel allows you to comment and view comments from others regarding the lead at hand. It also displays a log of actions performed on the lead.
To view a lead's comments and log:
- From the SOC Queue or Leads page, click on the Lead to open it.
- From the Lead Details panel, click Comments to open the Collaboration panel.
If the lead is part of a cluster, you can decide whether to view toggle between viewing comments made on the cluster or not.
To comment, reply, delete, or edit a comments:
- From the SOC Queue or Leads page, click on the Lead to open it.
- From the Lead Details panel, click Comments to open the Collaboration panel.
- From the collaboration panel:
- To add a comment: type your comment in the text box and click the send icon. You can format the text using the editing options.
- To reply: Click the menu icon next to the comment you want to reply to, and then click Reply.
- To delete/edit your comment: Click the menu icon next to the comment you want to reply to, and then select the required option.
- To add a comment: type your comment in the text box and click the send icon. You can format the text using the editing options.
Assign a lead
You can assign leads to other team members or to yourself.
To assign a lead:
- From the SOC Queue or Leads page, click on the Lead to open it.
- From the Lead Details panel, click Assign or the assignee name to open a list of team members.
- Select the required person or Clear to remove any assignee.
Classify a lead
You can classify a lead as benign, malicious or unknown.
Lead classification affect the way Stories are built and displayed. If the benign lead is part of a story, the system will recalculate the story and remove the benign lead. Then, the relevant story will be update with an accurate score and visualization.
To classify a lead:
- From the SOC Queue or Leads page, click on the Lead to open it.
- From the Lead Details panel, click Classify to open a list of classification options.
- Select the classification of the lead according to your findings.
Update a lead’s status
As you progress in the triaging and handling of the lead, you can change its status to open, WIP (work in progress) and done.
To update a lead's status:
- From the SOC Queue or Leads page, click on the Lead to open it.
- From the Lead Details panel, click the status indication to open a list of statuses.
- Select the relevant status.
Bulk triage
To speed up the triage process, you can perform any of the above mentioned actions in bulk.
To triage in bulk:
- Tick the checkbox next to the leads you wish to triage.
- From the pop-up select the actions you want to perform on all of the selected leads, and then click Apply.
