This article discusses how to use the tools in the Stories Workbench to manage story investigations.
For more about the Stories Workbench, see Reviewing Detection & Response Stories for Your Account.
The Stories Workbench drill-down page provides tools that help your analyst team track and manage the story investigation throughout the story lifecycle. You can perform a number of different actions to manage and record results of the story investigation, such as defining a verdict for the story, or setting the status to closed. You can also post comments on a story to detail the progress of the investigation and aid in collaboration with other team members. The page also lets you create a Mute Stories rule for when you determine that a story is benign and want the XDR engines to stop generating stories for similar incidents.
Note
Note: For MDR customers, please contact <mdr@catonetworks.com>
to define Mute Stories rules for your account.
The Story Actions panel lets you perform various actions to manage the story. These are the actions you can perform:
-
Set the Analyst Verdict - Define the story as Suspicious, Malicious, Informational, or Benign
-
When you set a verdict to Suspicious, Informational, or Benign, you can then also define:
-
Type - Select the specific threat type from the dropdown list
When you select a Type, details about the type and recommended actions are shown
-
Classification - Select a more detailed description of the threat from the dropdown list. The Classification section appears only after selecting a Type
-
-
When you set the verdict to Malicious you can then also define:
-
The story Severity. Possible values are High, Medium, and Low.
-
Type - The Type section appears only after selecting a Severity.
-
Classification - The Classification section appears only after selecting a Type.
-
-
-
Enter Additional Info - Add information relevant to the story
-
Set the story Status - Possible values are Closed, Open, Pending Analysis (for example, for when the story is awaiting attention from an analyst), and Pending More Info (for example, for when a story is awaiting a reply from a customer)
-
Add the story to a new Muted Stories rule. For more about mute stories, see Muting Detection & Response (XDR) Stories.
Use the Story Comments panel to post comments that help track the story investigation. When you post a comment, it is visible to all users with permissions to view the story. Additionally, some comments are created automatically by the system to help track significant developments in the story lifecycle, such as when the story is created or when new targets related to the story are identified.
You can delete a comment that you posted, but can't delete other comments. Comments can't be edited. Only text can be entered in a comment.
The number of comments posted for a story appears on the Comments button in the story drill-down page.
-
Comments are limited to 500 characters
-
A single story can't have more than 200 comments
0 comments
Article is closed for comments.