New close workflow

Introduction

This article describes the New Close Workflow functionality that is currently entering public preview. This capability is designed to streamline operations, ensure clarity in resolution of actions, and ultimately capture the outcomes which enables reporting on these outcomes. The existing Operational Metrics report is disabled when the New Close Workflow is enabled. Vectra is working on a new Operational Overview report that will show more detail on New Close Workflow outcomes. Today some tracking of outcomes is already available in the Executive Overview report.

When this feature is enabled, new Close As options are available for detections and entities. These new options will eventually replace the former Filter just this detection and Mark as Fixed options. Entity assignments are NOT closed when using Close As at the entity level and assignments must be changed or deleted manually.

The Triage Best Practices article provides detailed guidance for triage actions and terminology. The New Close Workflow described in this article also determines how some aspects of triage function because when enabled, there will no longer be an option to Mark as Fixed or Filter just this detection and detections will need to be closed as Benign, Remediated, or a Create Filter Rule action can be created to triage the detection, future detections, and other active detections that have not aged out in the system.

The Assignment Workflow FAQ provides guidance for using assignment at an entity level.

How to Enable

Once available in your Vectra UI, simply navigate to Configuration → SETUP → General Settings → New Close Workflow and edit the setting to turn on the feature:

During the public preview of the New Close Workflow feature, enabling it is an opt-in action which means that you must explicitly enable the feature. Vectra plans to change this to be opt-out in the future, and eventually it will fully replace the legacy workflow for assignment resolution and detection closure. There is no set date for the full deprecation of the legacy workflow but it is recommended to opt-in when you can and get used to the new workflow.

What Changes When Enabling the New Close Workflow?

Entity Assignment and Closure/Resolution

When working with entities (hosts and accounts) in Vectra products, you can assign the entity to an analyst. What happens inside the system is that all the active detections for that entity are assigned to the chosen analyst. Detections can then be closed or filtered/resolved at a detection level or at an entity level. When closing at the entity level, all assigned detections are also closed but the assignment, if present, remains until changed or deleted manually.

Filtering or Closing Individual Detections

Individual detections can be filtered or closed so that the detection will no longer impact the score for an entity. This can be done by individual detection or in bulk. Options again vary based on where you are in your Vectra UI and if you have enabled the new New Close Workflow.

Via Individual Detection Pages:

Via Bulk Actions From the Detections Page in Your UI:

Closing or Resolving All Active Detections on an Entity

When using the New Close Workflow or when working with entity assignment and resolution in the original workflow, all active detections can be triaged easily at once at an entity level.

• When using Close As at an entity level, all active detections attributed to the entity will be closed (triaged) as either Benign or Remediated.

  • If the entity was assigned to an analyst, this does not close the assignment. If you wish for future detections to not be assigned to the same analyst, change or delete the assignment.

• When resolving an entity assignment using the older workflow, choosing any outcome will close the assignment, triage the individual detections, and close the assignment.

Why Should Entity Assignments / Detections Be Closed?

Vectra is in the process of rolling out updated reports. The Executive Overview report is already available for RUX deployments and is targeted to be available for QUX deployments in v9.2.

Vectra is also working on a new Operational Overview report that tracks things like:

• MTTA - Mean Time To Assignment

• MTTI - Mean Time To Investigate

• MTTR - Mean Time To Resolve

Using entity assignments and closing the detections assigned to an entity will drive the numbers used on the reports and help measure SOC team effectiveness in dealing with prioritized alerts from the system.