Manage Custom Insight Resolutions

This topic has information about custom Insight resolutions and how to create and manage them.

About Insight resolutions

When you close an Insight, Cloud SIEM prompts you to select a resolution that indicates why you closed it. There are four built-in resolutions:

• Duplicate — The insight has triggered before on the same entity and is a duplicate.
• False Positive—An insight triggered and it is legitimate activity.
• No Action—An insight triggered and it might not be an incident but is also not a false positive.
• Resolved — An incident occurred and was resolved.

You can define custom sub-resolutions for any of the built-in resolutions. This enables you to create more granular resolutions that indicate more clearly why an Insight was closed. For example, you might want to create a “Remediated” sub-resolution under “Resolved”.

Create a custom sub-resolution

1. Classic UI. In the top menu select Configuration, and then under Workflow select Resolutions.
   New UI. In the top menu select Configuration, and then under Cloud SIEM Workflow select Insight Resolutions. You can also click the Go To... menu at the top of the screen and select Insight Resolutions.
2. On the Insight Resolutions page, click Create.
3. The Create Insight Resolution page appears.
   1. Name. Enter a meaningful name for the new resolution.
   2. Parent Resolution. Display the dropdown list and select a built-in resolution.
   3. Description. (Optional) Enter a description that will help other users understand when to use the new resolution.
   4. Click Create.
      
   5. The new resolution appears on the Insight Resolutions page, indented below the parent resolution.

Close an Insight using a custom resolution

1. After navigating to an Insight, you can close it by either clicking the Close Insight button or by selecting Closed from the Status pulldown.
   
   The Close Insight dialog box appears.
   
2. Click Resolution. The list of resolutions appears, including any custom sub-resolutions that have been defined.
   
3. Click the appropriate resolution for the Insight.
4. In Additional Comments add a comment if desired.
5. Click Close Insight to apply the selected resolution and close the Insight.

Filter Insights by custom resolution

You can filter Insights by custom resolution.

1. On the Insights page, check the Filters area and make sure that the Status filter is not set to “is not closed”.  
2. Click in the Filters area and select Custom Resolution. 
   
3. You’re prompted to select an operator: is or is not.
4. After you choose an operator, you're prompted to select a custom resolution.
5. Select a resolution to view Insights that have that resolution.