Assignnment workflow FAQ (prior to New close workflow)

Introduction

Using the entity assignment/closure/resolution workflow enables all the detections attributed to a host or account entity to be assigned to an analyst. When closing or resolving detections at the entity level, all active detections are also closed as "Benign" or "Remediated" or resolved depending on which workflow is enabled in your deployment.

This data will drive reporting for Executive Overview and Operational Overview reports. The assignment workflow is meant to better capture the events of investigations and provide metrics to organizations about the efficiency of their security team.

There are currently two different workflows:

  • The "New Close Workflow" that is currently entering public preview in late June 2025.

  • The legacy workflow that exists in both RUX and QUX deployments prior to enabling the "New Close Workflow".

It may also be useful to refer to the Triage Best Practices article to learn more about triage actions, terminology, and how the assignment workflow is related. The "Close As" actions described in the Triage Best Practices article, when done at an entity level, do NOT close the assignment. Entity assignment must be changed or removed manually if you don't want new detections to be assigned to the same analyst when using the New Close Workflow.

Creating an Assignment

When an assignment has been created, all active detections assigned to the entity will also be assigned to the analyst. Any new detections that come in while there is an active assignment on the entity will also be assigned to the analyst.

New Close Workflow:

Your UI may look slightly different for QUX deployments because the scoring system is different but the process of assignment is still the same. Simply click on the "Unassigned" link, choose an analyst from the dropdown, and then click the checkmark to finalize the selection:

Legacy Workflow:

Your UI may look slightly different for QUX deployments because the scoring system is different but the process of assignment is still the same. Simply click on the "Assign" link and then a new panel will open on the left side of your entity where you can choose an analyst from the dropdown, and then click the checkmark to finalize the selection:

Changing or Deleting an Assignment

New Close Workflow:

Once an entity has been assigned, it will now show as assigned to an analyst where it previously showed "Unassigned". Simply click here to change which analyst the entity is assigned to, or use the "Unassign" button to delete the assignment.

Legacy Workflow:

Once an entity has been assigned, it will show as assigned in a panel on the left side of the entity screen (where you chose the assigned user). Simply click on the "Edit" pencil icon to change the assigned analyst, or the "Trashcan" icon to delete the assignment.

Closing an Assignment

New Close Workflow:

To close an assignment in the New Close Workflow, all detections must be closed. This can be done using the "Close As" button as shown in the screenshot below. This can be done at both an entity level or at a detection level.

  • When using “Close As” at an entity level, all active detections attributed to the entity will be closed (triaged) as either Benign or Remediated.

    • If the entity was assigned to an analyst, this does not close the assignment, the assignment must be changed or deleted manually.

  • When using "Close As" at the detection level, if you close the last remaining active detection on an entity, you can also choose to manually change or delete the assignment.

  • As described in the Triage Best Practices article, Benign or Remediated have specific meanings:

    • Benign - Use this option when you want to eliminate scoring impact for a detection, but no action was taken to stop the behavior from reoccurring in the environment. A potential use case could be a red teaming event happened and since this was approved behavior, what is desired now is simply to remove the scoring impact for the entities that were involved.

    • Remediated - Use this option when some action has been taken that is meant to stop the behavior from reoccurring in the environment. Perhaps an infected machine was re-imaged, or a discussion was had with a user where they were told they should not scan the server subnet.

Legacy Workflow:

To close an assignment, click on the "Checkmark" icon on the right side of the "Assigned User" panel on the left side of your entity screen. When resolving an entity assignment using the Legacy workflow, choosing any outcome will close the assignment, and triage the individual detections.

Examples for Both Workflows:

New Close Workflow

Legacy Workflow

Legacy Workflow Additional Guidance

When closing an assignment using the legacy workflow, you can choose an outcome of Benign True Positive, Malicious True Positive, or False Positive.

Malicious True Positive - A Malicious True Positive event is an event that is categorized by the Vectra system to be a potential threat and is found to be actual threat. This could be an entity that was flagged as ransomware and during an investigation was found to be compromised.

Benign True Positive - A Benign True Positive event is one where the behavior was correctly identified by the Vectra System however the behavior was allowed. For example, this can be Shadow IT or Red Team behavior. Many alerts will fall into this category.

False Positive - A False Positive event is an event that the Vectra system completely mislabeled. This is an infrequent occurrence within the system and should be used sparingly.

If you choose "Malicious True Positive", you can also choose if you want to mark the remaining untriaged detections on the entity as "fixed". "Fixed" is the same as "Mark as Fixed" when using the legacy workflow and performing triage actions. This is essentially the same meaning as "Remediated" in the new close workflow. This means some action has been taken that is meant to stop the behavior from reoccurring in the environment. Perhaps an infected machine was re-imaged, or a discussion was had with a user where they were told they should not scan the server subnet.

If you choose "Benign True Positive", you can also choose to triage the remaining untriaged detections on the entity as custom. This is essentially a individual triage action against all of these detections and you have a choice of how to label these detections in the "Triage as" box.

After choosing the outcome, selecting the resolve button will close out the assignment. This outcome is recorded within Vectra to be used for reporting. The system will also record different aspects of the entity like detections, tags, etc. which will also show up in the reports.

With this resolution, the host is now open to being assigned if new detections come in or if there is another investigation.

Frequently Asked Questions

Are there plans to reintroduce assignments on detections?

  • For context, when assignment first became available in the legacy workflow, it was possible to assign individual detections, now it is only possible to assign all detections on an entity by doing assignment at the entity level as describe in this article. Vectra does not plan to reintroduce assignments for individual detections.

Can I see previous assignments?

  • Currently we do not allow you to see assignment histories in the UI however, this information is available via API.

Is there API support?

Can I get assignments working with my current ticketing system?

  • Yes, Vectra has a number of integrations with different ticketing systems and the APIs allow interaction with the assignment workflows.

  • Please see the following articles for more details:

RUX

Splunk

SOAR

Vectra XDR for SOAR

Palo Alto Networks

SOAR

Vectra XDR for XSOAR

ServiceNow

SOAR

Vectra XDR for SIR

ServiceNow

ITSM

Vectra XDR for ITSM

ServiceNow

CMDB

Vectra XDR for CMDB

Google SecOps

SOAR

Vectra XDR for SecOps SOAR

QUX

Splunk

SOAR

Vectra Cognito Detect (NDR) Splunk SOAR

Palo Alto

SOAR

Vectra AI for XSOAR

ServiceNow

SOAR

Vectra Threat Detection for Security Operation

ServiceNow

ITSM

Vectra Threat Detection for ITSM

Google SecOps

SOAR

Vectra QUX for SecOps SOAR

Last updated

Was this helpful?