Assignnment workflow FAQ (prior to New close workflow)
Introduction
Using the entity assignment/closure/resolution workflow enables all the detections attributed to a host or account entity to be assigned to an analyst. When closing or resolving detections at the entity level, all active detections are also closed as "Benign" or "Remediated" or resolved depending on which workflow is enabled in your deployment.
This data will drive reporting for Executive Overview and Operational Overview reports. The assignment workflow is meant to better capture the events of investigations and provide metrics to organizations about the efficiency of their security team.
There are currently two different workflows:
The "New Close Workflow" that is currently entering public preview in late June 2025.
Please see New Close Workflow for details.
The legacy workflow that exists in both RUX and QUX deployments prior to enabling the "New Close Workflow".
It may also be useful to refer to the Triage Best Practices article to learn more about triage actions, terminology, and how the assignment workflow is related. The "Close As" actions described in the Triage Best Practices article, when done at an entity level, do NOT close the assignment. Entity assignment must be changed or removed manually if you don't want new detections to be assigned to the same analyst when using the New Close Workflow.
Creating an Assignment
When an assignment has been created, all active detections assigned to the entity will also be assigned to the analyst. Any new detections that come in while there is an active assignment on the entity will also be assigned to the analyst.
New Close Workflow:
Your UI may look slightly different for QUX deployments because the scoring system is different but the process of assignment is still the same. Simply click on the "Unassigned" link, choose an analyst from the dropdown, and then click the checkmark to finalize the selection:
Legacy Workflow:
Your UI may look slightly different for QUX deployments because the scoring system is different but the process of assignment is still the same. Simply click on the "Assign" link and then a new panel will open on the left side of your entity where you can choose an analyst from the dropdown, and then click the checkmark to finalize the selection:
Changing or Deleting an Assignment
New Close Workflow:
Once an entity has been assigned, it will now show as assigned to an analyst where it previously showed "Unassigned". Simply click here to change which analyst the entity is assigned to, or use the "Unassign" button to delete the assignment.
Legacy Workflow:
Once an entity has been assigned, it will show as assigned in a panel on the left side of the entity screen (where you chose the assigned user). Simply click on the "Edit" pencil icon to change the assigned analyst, or the "Trashcan" icon to delete the assignment.
Closing an Assignment
New Close Workflow:
To close an assignment in the New Close Workflow, all detections must be closed. This can be done using the "Close As" button as shown in the screenshot below. This can be done at both an entity level or at a detection level.
When using “Close As” at an entity level, all active detections attributed to the entity will be closed (triaged) as either Benign or Remediated.
If the entity was assigned to an analyst, this does not close the assignment, the assignment must be changed or deleted manually.
When using "Close As" at the detection level, if you close the last remaining active detection on an entity, you can also choose to manually change or delete the assignment.
As described in the Triage Best Practices article, Benign or Remediated have specific meanings:
Benign - Use this option when you want to eliminate scoring impact for a detection, but no action was taken to stop the behavior from reoccurring in the environment. A potential use case could be a red teaming event happened and since this was approved behavior, what is desired now is simply to remove the scoring impact for the entities that were involved.
Remediated - Use this option when some action has been taken that is meant to stop the behavior from reoccurring in the environment. Perhaps an infected machine was re-imaged, or a discussion was had with a user where they were told they should not scan the server subnet.
Legacy Workflow:
To close an assignment, click on the "Checkmark" icon on the right side of the "Assigned User" panel on the left side of your entity screen. When resolving an entity assignment using the Legacy workflow, choosing any outcome will close the assignment, and triage the individual detections.
Examples for Both Workflows:
New Close Workflow
Legacy Workflow
Legacy Workflow Additional Guidance
When closing an assignment using the legacy workflow, you can choose an outcome of Benign True Positive, Malicious True Positive, or False Positive.
Malicious True Positive - A Malicious True Positive event is an event that is categorized by the Vectra system to be a potential threat and is found to be actual threat. This could be an entity that was flagged as ransomware and during an investigation was found to be compromised.
Benign True Positive - A Benign True Positive event is one where the behavior was correctly identified by the Vectra System however the behavior was allowed. For example, this can be Shadow IT or Red Team behavior. Many alerts will fall into this category.
False Positive - A False Positive event is an event that the Vectra system completely mislabeled. This is an infrequent occurrence within the system and should be used sparingly.
If you choose "Malicious True Positive", you can also choose if you want to mark the remaining untriaged detections on the entity as "fixed". "Fixed" is the same as "Mark as Fixed" when using the legacy workflow and performing triage actions. This is essentially the same meaning as "Remediated" in the new close workflow. This means some action has been taken that is meant to stop the behavior from reoccurring in the environment. Perhaps an infected machine was re-imaged, or a discussion was had with a user where they were told they should not scan the server subnet.
If you choose "Benign True Positive", you can also choose to triage the remaining untriaged detections on the entity as custom. This is essentially a individual triage action against all of these detections and you have a choice of how to label these detections in the "Triage as" box.
After choosing the outcome, selecting the resolve button will close out the assignment. This outcome is recorded within Vectra to be used for reporting. The system will also record different aspects of the entity like detections, tags, etc. which will also show up in the reports.
With this resolution, the host is now open to being assigned if new detections come in or if there is another investigation.
Frequently Asked Questions
Are there plans to reintroduce assignments on detections?
For context, when assignment first became available in the legacy workflow, it was possible to assign individual detections, now it is only possible to assign all detections on an entity by doing assignment at the entity level as describe in this article. Vectra does not plan to reintroduce assignments for individual detections.
Can I see previous assignments?
Currently we do not allow you to see assignment histories in the UI however, this information is available via API.
Is there API support?
Yes. Please see Operational Metrics Report - Supplying Assignment Data Using Vectra's API for examples using the v2.x API.
Please see the following resources for details on using Vectra's APIs:
Can I get assignments working with my current ticketing system?
Yes, Vectra has a number of integrations with different ticketing systems and the APIs allow interaction with the assignment workflows.
Please see the following articles for more details:
RUX
QUX
Last updated
Was this helpful?