Functionally, ActOns are classified into the following types:
Resolutions is a centralized place where you can view detailed information, including the status, date of creation, summary, and who is responsible for taking action against an ActOn.
ActOn Integrations
Resolution Intelligence Cloud empowers you to generate respective tickets via successful downstream integrations of ITSM (including Jira, ConnectWise, and ServiceNow) and security (includes Chronicle SOAR) once an ActOn is generated in our platform.
To get ActOn integrations, subscribe to an appropriate plan after you have registered with Resolution Intelligence Cloud. Visit this page for more details on the available plans.
Features of ActOns
- Enable the security analysts to prioritize what is important and when to take necessary actions to mitigate the risk posed by threats from the external environment.
- Ensure effective communications such as - Automated emails and Scripted responses among the users of an organization.
- Assign to the respective individual or group in an effective manner to notify them in real-time.
- Enable automatic routing of similar signals, and SLA tracking.
- Build consistency and confidence in the support process of an organization.
- Provide visibility and reporting dashboards by type, class, status, and priority.
Switching between card and list views of ActOns
The ActOn interface can be customized to display information based on user preferences. By default, it opens in the card view, where users can see individual ActOn cards. Clicking a card opens the ActOn workspace, allowing users to update ActOn details. Alternatively, the list view presents all ActOns in a structured list format.
Users can choose to set the default view—either card or list view—and this preference is retained across sessions. The selected default view remains active each time you log in, until you manually change it.
To switch between views:
- Navigate to Resolutions > ActOns. The ActOns home page displays all available default and custom streams.
- Click the kebab menu, hover over Display, and select List View. By default, the card view is selected. This takes you to the ActOns list page.
- To set card or list view as default view, select Set as Default View.
Card View
In the card view, the ActOns UI has been divided into 3 sections:
- Streams- apply any custom or default stream to view ActOns in the ActOns feed based on the filter criteria defined in the selected stream. Refer to this article for more information on streams.
- ActOns' cards- displays all ActOn cards in the list form.
- ActOns' work area - provides a unique interface to identify, acknowledge, and remediate ActOns before they become incidents. Prioritize, assign, resolve, make active or inactive, and add a user to the watch list to streamline your team's collaboration and resolve issues faster.
ActOn cards
All ActOns are displayed as ActOn cards. Newly created ActOns are appended to the list automatically, or you can use the Refresh option to view all ActOns created up to that moment. Each ActOn card displays the following details:
- Status – The current status of the ActOn.
- Title or Subject – A brief summary of the issue for quick identification.
- Organization – The organization under which the ActOn was created. On hover, you can view the copy option next to the organization and tenant names.
- Tenant – The tenant in which the ActOn was created.
- ActOn Type – The type of the ActOn, such as Security or Digital Ops.
-
SLA Time – Indicates the response and resolution times based on the severity of the ActOn.
- If marked as Overdue, the resolution time has passed.
- If a countdown is shown, it represents the remaining time to resolve the ActOn within the defined SLA.
- Team Assigned – Displays the assigned team, if one has been designated.
- Owner Assigned – Displays the assigned owner, if one has been designated.
Card View Column Options in ActOns
The Card View in the ActOns module provides several controls that allow you to customize how ActOns are displayed and interacted with. These options help you tailor the view for better readability, accessibility, and efficiency in managing incidents. Below are the key features available in the card view column:
-
Switch between Card View and List View
Select to switch between a visual card layout and a traditional list format, depending on your preference. Learn how to switch between views by referring to this section. -
Switch between Compact and Expanded View
Adjust the density of information displayed on each card—compact view shows more cards in limited space, while expanded view provides more details at a glance. Learn how to switch between compact and expanded views by referring to this section. -
Search Option
Use the search bar to quickly find specific ActOns by ActOn by ActOn ID, Title, Signal ID, External ID, and Summary. -
Applied Filters
View and manage active filters to narrow down the ActOns list based on ActOn Type, Status, Priority, Stage, Organizations, Tenants, Functions, Signal Source, Tags, Class, Sub-class, Category, Sub-category, Entities, Entity Groups, Last Updated by, Teams and Owners and Escalation triggered. Read on this section to learn more about applied filters. -
Sort By and Order By
Sort the ActOns based on different options. Read this section for more information.
Switch Between Compact and Expanded Views of ActOns
You can switch between compact and expanded views in the list view of ActOns to control how much information is displayed on each ActOn card.
Users can choose to set the default view—either Compact or Expanded view—and this preference is retained across sessions. The selected default view remains active each time you log in, until you manually change it.
To switch views:
- Navigate to Resolutions > ActOns. The ActOns home page displays all available default and custom streams.
- Click the kebab menu (three dots) in the top-right corner.
- Hover over Data Density and select either Compact or Expanded.
Note: To set a default view either a Compact or Expanded, select Set as Default View.
By default, the Compact view is selected, showing minimal information for each ActOn.
In the Expanded view, additional details such as the organization and tenant associated with each ActOn are displayed.
Sorting ActOn
In the card view, click left arrow or right arrow
icons to enlarge or converge an ActOn filters panel and list panel. This action allows you to perform a detailed analysis on an ActOn.
Refresh icon to load the latest updates in the ActOns feed.
You can sort and order all ActOns in the second column by the following options using button.
| Item | Description |
|
Sort by | |
| Created Date | The date on which the ActOn generated for the first time. |
| Updated Date | The date on which some updates done in an ActOn. For example, status has been changed from "acknowledged" to "in progress". |
| Priority | Assigned level of importance (most important on top). Possible values are P0,P1,P2,P3,P4. |
| Scheduled activity | View the ActOns that are on hold to carry out scheduled activities. |
| Order by | |
| Newest on top | Recently generated ActOns appear on top. |
| Oldest on top | Past ActOns appear on top. |
Search any ActOn by ActOn ID, Title, Signal ID, External ID, and Summary in the search bar to obtain the ActOn you want.
Applied filters
The filter values displayed in the Applied Filters section of the ActOns card column are determined by the currently selected stream. Filter values chosen during stream creation appear in a grayed-out state within the applied filters. If users want to further narrow down the results, they can use other filter options aside from the grayed-out ones.
Similarly, default streams have fixed filter values that cannot be changed. These fixed filters help maintain the integrity and focus of the stream’s intended purpose. For example, in the Critical ActOns stream, the filters for Status and Priority are preset to "new" and "P1," respectively, reflecting the stream’s focus on the most urgent and unresolved items. While these two filter values cannot be altered, you can adjust other available filters—such as date ranges, assigned teams, or categories—to further refine and tailor the results to your specific needs.
To access applied filters:
- Go to Resolutions > ActOns. The ActOns home page will display all available streams.
- In the ActOns cards shown in list form, click Applied Filters. This opens the Applied Filters pop-up.
- Select filter values apart from the graded out ones to further narrow down the results within the selected stream.
- Click Apply to view the filtered results.
ActOn Work space
The workspace layout for Digital and Security ActOns is the same; the only difference lies in the information presented. You can view the screenshots below to see how the content varies between Digital and Security ActOns.
The following screenshot shows the workspace for a Digital ActOn.
The following screenshot shows the workspace for a Security ActOn.
The ActOn contains the following items in its UI:
- Title: The ActOn title emerges from the type of signals that are correlated as a result of correlation rules. However, you can customize the title of an ActOn as per your desired criteria. The character limit for title is up to 160.
- Acton ID: The ActOn ID is a unique identifier assigned to an ActOn generated by the internal monitoring system. Hover over the ID to view details such as the policy that created the ActOn, the creation time, and the ID itself. A copy icon is available next to the ActOn ID for easy copying.
- Sync ActOn: Users can now manually sync ActOn details to external applications, such as SOAR, ServiceNow, ConnectWise, and JIRA. For more information, refer Sync Acton section.
- Assign Priority: You can assign a Priority level to ActOn to distinguish which ActOns need attention first. To assign Priority to an ActOn, select one of the priorities from the drop-down on top of the ActOn.
- Assign Stage: You can assign a stage to an ActOn by selecting the appropriate stage value, indicating its phase in the ActOn lifecycle. This helps track the progress and current phase of an ActOn more effectively.
- Assign Team: You can assign a team to an ActOn. For more information, refer Team assignment to ActOns.
- Assign Owner: You can assign a team member from the selected team as the owner of the ActOn, (or) you can choose to assign it to someone outside the team to work on.
By default, the auto-validation system assigns the ROBO as the owner. However, you can assign a new owner to an ActOn to notify the respective personnel to take action against that ActOn. To assign an owner, click Owner on top of the ticket and assign yourself, or search and select a user using the search bar. You can assign any user as an owner who belongs to domain, organization or tenant. Refer to this article to learn what actions a ROBO can perform to resolve or close the ActOn.
- Watchers: You can add a watcher to monitor the ActOn. The watcher will receive real-time notifications whenever critical updates are made, helping them stay informed. See this article to learn how to add or remove watchers.
- Escalate: Click the Escalate button to select an escalation policy from the drop-down menu. This action notifies the on-call members until someone acknowledges the ActOn. The users with the roles - Global Admin, Responder, Owner, Manager, Config Manager can escalate the ActOn. Currently, this feature is applicable to domains, organizations, and tenants.
Key Actions in the ActOns Workspace
Syncing an ActOn with external ITSM apps
ActOn details can be synced with SOAR, ServiceNow, ConnectWise, or JIRA at the domain, organization, or tenant level, where ActOns are created as tickets in JIRA, ServiceNow, and ConnectWise, and cases in SOAR. This bidirectional synchronization ensures that any updates made to ActOns in Chronicle SOAR, ServiceNow, ConnectWise, or JIRA are automatically reflected in the Resolution Intelligence Cloud, and vice versa, enabling real-time data synchronization.
Both digital operations (digital ops) and security ActOns can be synced with external apps. However, for digital ops, synchronization is only available with JIRA, not with SOAR.
Prerequisites
Tenant mapping in JIRA, ConnectWise, ServiceNow, or SOAR is required, depending on the external application to which you want to sync the ActOn details. To map tenants, refer to the Mapping Tenants section.
To sync the ActOn with an external application manually:
- Open a Security or Digital Ops ActOn.
- Click the Sync ActOn link corresponding to the ActOn ID. This opens the Sync ActOn window.
3. Click Sync Now corresponding to the external application with which you want to sync the ActOn details. Possible values:
- SOAR (or)
- ConnectWise
- ServiceNow
- Jira
Note: You can only view the ITSM app or SOAR that is enabled and configured in Integrations. Only one ITSM app can be enabled at a time.
Once the sync is successful, an external ID is created with a link. You can click on this ID to redirect to the respective external application to view the ActOn details.
Tags
Tags help you classify ActOns. The tags are created in a key-value format. You can view the tags that are added through external systems, in addition to the tags you add in the ActOn workspace.
Adding tags
To add tags to an ActOn,
- Navigate to Resolutions --> ActOns.
ActOns home page opens. - Click the ActOn to which you want to add a tag. This opens the ActOn work area.
3. Click More details to add tags. This expands the view, allowing you to see the following information:
- External App: Sync Now – This option appears if the ActOn is not synced with any external app. If it is synced, the external ticket ID is displayed.
Request Type – The request type assigned to an ActOn. It can be either an incident or a service request.
Service Category – The category under which the request type falls. This option is visible only for service requests.
- Created time – The timestamp when the ActOn was created.
- Last updated – The timestamp when the ActOn was last updated.
- First signal created time – The timestamp when the first signal associated with this ActOn was created.
4. Click Add tag. This opens the Manage Tags side panel.
5. Enter the tag in the key:value format and click the plus button to add the tag. You can add as many tags you want.
6. Click Submit to associate tags to an ActOn. The added tags are visible next to the tags icon in the ActOn Workspace.
ActOn Status
The signal status is determined by the most recent update received from the source monitoring system. The status of an ActOn is determined by the severity of each situation.
By default, an ActOn is assigned to any one of the following statuses: However, you are free to change the status of an ActOn to the status you desire at anytime once you create new statuses or rename the existing status. Once an ActOn is moved to a closed or resolved state, escalations to the on-call user stop.
| Status | Description |
| New | ActOn has arrived recently and has not yet been acknowledged by the support team. |
| Acknowledged | The respondent has seen the ActOn and owns an ActOn. |
| In Progress | ActOn has acknowledged it and started working on it. |
| On hold | Put on hold due to awaiting evidence, awaiting for the user, etc. |
| Healed | ActOn got resolved on its own. |
| Resolved | Remediation has taken and resolved the issue. |
| Closed | Remediation has taken and resolved the issue. |
Priorities and their respective colors are assigned to each ActOn based on the score calculated from impact, likelihood, and confidence factors.
| Priority | Color | Description |
| P4 | Green | ActOn is resolved and has no impact on the asset. |
| P3 | Yellow | The monitoring system has detected an issue. For example, CPU cache is low. |
| P2 | Light Orange | The ActOn has been acknowledged in the source system or the monitored object is under scheduled maintenance. |
| P1 | Orange | The monitoring system has detected a serious problem. For example, a service is unavailable or a maximum usage threshold has been exceeded. |
| P0 | Red | A potential issue is detected and poses a serious impact on assets if not resolved within the SLA period. |
Changing status of an ActOn
You have the flexibility to tailor the existing statuses to match the specific needs and workflows of your organization. You can often modify existing ones to align with your business requirements, which ensures collaboration and productivity. Before changing the status, you should configure your desired status by using the Configurable Statuses procedure.
To change the existing status to a new one,
- Navigate to Resolutions --> ActOns.
ActOns home page opens. - Click the ActOn in which you would prefer to change the status.
- Click Status located below the ActOn name.
A drop-down menu opens where you can find the statuses that you have configured. - Select your desired status and click Done.
Your desired status will be assigned to that ActOn.
In case you are closing the ActOn, follow these additional steps:
5. Select the status as Closed and click Done. This will open a side panel where you can enter the reason for closing the ActOn.
6. Select the reason from the following options:
- Benign – The ActOn does not pose a significant impact.
- False positive – The ActOn was incorrectly identified as an anomaly.
- Resolved – The ActOn has been successfully resolved.
- Self-heal – The signal was automatically resolved without human intervention.
- Closed by external system – The ActOn was closed by an external system.
7. Enter the resolution note in the text box provided. You can use formatting options to enhance the note if needed.
8. Enter the amount of time spent resolving this ActOn, in minutes.
9. Click Submit to close the ActOn.
Marking an ActOn as On Hold
You can mark an ActOn as On Hold when it requires temporary suspension due to specific conditions. There are three predefined reasons for placing an ActOn on hold:
- Pending action – Awaiting a task or decision.
- Waiting for external inputs – Awaiting input or data from external sources.
- Scheduled activity – Planned maintenance or operational activity, such as applying patches or implementing security updates, for a defined period.
When Scheduled activity is selected, additional fields appear to capture the expected duration and relevant notes.
To mark an ActOn as On-hold:
- Navigate to Resolutions → ActOns. The ActOns homepage opens.
- Click the ActOn you want to place on hold.
- In the Status section, select On Hold, then click Done. This opens the On-Hold ActOn side sheet.
- Choose a reason for putting the ActOn on hold:
- Pending action
- Waiting for external inputs
- Scheduled activity
- If Scheduled activity is selected:
- By default, your profile time zone is selected. If needed, you can change it by selecting a different time zone from the available options.
- Enter the duration of the activity in the Activity time field.
- Provide details in the Scheduled note section.
Rescheduling an Activity
Use this procedure to reschedule an activity to a later date. You can reschedule the activity before, during, or after the originally scheduled time window.
To reschedule the activity:
Navigate to Resolutions → ActOns.
The ActOns homepage appears.Click on the ActOn you want to place on hold.
In the Status section, select On Hold, then click Done.
This opens the Reschedule Activity side sheet.Update the activity window by selecting new start and end times, and add a scheduled note (optional) to provide context.
Click Submit to save the updated schedule.
The activity will now reflect the new scheduled period.
Selecting a Reason for Team Assignment
When assigning a team at the domain level in a multi-tenancy setup, you are required to specify the reason for selecting a team from predefined options. This requirement applies only when assigning teams within organizations or tenants under the domain.
To select a reason for team assignment:
- Navigate to Resolutions → ActOns. The ActOns homepage is displayed.
- Click on the ActOn you want to assign to a team at the organization or tenant level.
A side sheet opens, prompting you to select a reason for the team assignment. - Choose a reason from the predefined list.
- Optionally, add comments in the Comments field.
- Enter the Time Spent in minutes for the work done on this ActOn.
- Click Submit to complete the assignment.
The selected reason, comments, and time spent are recorded and the reason can be viewed in the Activity tab under the History section.
Table/List View
In the table/list view, the ActOns UI has been divided into 2 tabs:
- Streams- apply any custom or default stream to view ActOns in the ActOns feed based on the filter criteria defined in the selected stream. Refer to this article for more information on streams.
- ActOns' feed - displays all ActOns in a list form.
Other options available on the List View page of ActOns:
- Search: Search for a specific ActOn by entering the ActOn title or ID.
- Refresh: Refresh the page to sync and display the latest ActOns.
- Switch between views: Click the kebab menu and select Display to access view options. Choose Card View to switch back to the card layout. You can also set this as the default view. A confirmation modal will appear to confirm if you want to make the Card View the default.
- Applied Filters: View the filters applied to the selected stream on the left. To learn more about applied filters, see this section.
- Table Settings: Customize the table by selecting and reordering columns to focus on metrics that help with ActOn remediation.
You can apply the following actions to one or more ActOns by selecting the checkbox next to each one. Once selected, two options are enabled: Update and Close ActOns. These options are visible to users with roles - Global admin, Owner, Config manager, Responder, and Manager.
Closing ActOns
You can close the ActOns from the listing page using the following procedure.
1. Select the check box corresponding to the ActOns you want to close.
2. Click the Close ActOns option. This will open a side panel where you can enter the reason for closing the ActOn.
3. Select the reason from the following options:
- Benign – The ActOn does not pose a significant impact.
- False positive – The ActOn was incorrectly identified as an anomaly.
- Resolved – The ActOn has been successfully resolved.
- Self-heal – The signal was automatically resolved without human intervention.
- Closed by external system – The ActOn was closed by an external system.
4. Enter the resolution note in the text box provided. You can use formatting options to enhance the note if needed.
5. Enter the amount of time spent resolving this ActOn, in minutes.
6. Click Submit to close the ActOn.
Updating Multiple ActOns
To update the stage, status, notes, team, owner, and/or priority of multiple ActOns simultaneously, use the Update option.
To perform a bulk update of ActOns:
- Navigate to Resolutions → ActOns. The ActOns home page opens.
- Click the kebab menu, point to Display, and select List View.
- Select the check boxes for the ActOns you want to update. This enables the Update option.
- Click Update to open the side sheet.
- Choose the status, priority, and/or stage for the selected ActOns.
- Select the team and owner to be assigned to the ActOn.
- Provide notes. To add notes, refer to the Adding Floating Notes article.
- Click Confirm to apply the updates to all selected ActOns.
Comments
0 comments
Please sign in to leave a comment.