Skip to main content

Working with ActOns

  • Updated
Table of Contents:

An ActOn is an actionable insight that empowers security analysts to make faster decisions. An ActOn identifies a situation that may cause or has already caused a negative impact on an organization’s confidentiality, integrity, and/or availability (CIA), and it provides the situational awareness needed to quickly determine an appropriate response.
 
ActOns gather, prioritize, and present curated, contextual data — like related alerts, events, asset, and user data, evidence, and more. Data can paint a picture of what happened, but related data — or situational awareness — explains why it happened. It’s often the “why” (versus the “what”) that makes an insight actionable.
 
Each ActOn has a quantified risk score (based on likelihood, impact, and confidence), so security and IT analysts know where to focus first. ActOns increase efficiency and effectiveness by giving teams the contextual information they need at their fingertips to make informed decisions as quickly as possible.

Functionally, ActOns are classified into the following types:

Resolutions is a centralized place where you can view detailed information, including the status, date of creation, summary, and who is responsible for taking action against an ActOn.

ActOn Integrations

Resolution Intelligence Cloud empowers you to generate respective tickets via successful downstream integrations of ITSM (including Jira, ConnectWise, and ServiceNow) and security (includes Chronicle SOAR) once an ActOn is generated in our platform.

To get ActOn integrations, subscribe to an appropriate plan after you have registered with Resolution Intelligence Cloud. Visit this page for more details on the available plans.

Features of ActOns

  • Enable the security analysts to prioritize what is important and when to take necessary actions to mitigate the risk posed by threats from the external environment.
  • Ensure effective communications such as - Automated emails and Scripted responses among the users of an organization.
  • Assign to the respective individual or group in an effective manner to notify them in real-time.
  • Enable automatic routing of similar signals, and SLA tracking.
  • Build consistency and confidence in the support process of an organization.
  • Provide visibility and reporting dashboards by type, class, status, and priority.

Viewing ActOns UI

Navigate to ActOns area by hovering over the hamburger menu and clicking ActOns New, under Resolutions. Resolution Intelligence Cloud provides two ways to explore the ActOns in the UI:

  1. Card View: shows all ActOns in the left panel and details of a specific ActOn in the right panel, with a filter hidden on the left side.
  2. Table View: shows all ActOns in table format with a filter hidden on the left side.

Card View

In the card view, the ActOns UI has been divided into 3 tabs:

  1. Filters - applying filters helps you display the ActOns in the ActOns feed according to your filter criteria. Refer to this article for more information on filters.
  2. ActOns' feed - displays all ActOns in a list form.
  3. ActOns' work area - provides a unique interface to identify, acknowledge, and remediate ActOns before they become incidents. Prioritize, assign, resolve, make active or inactive, and add a user to the watch list to streamline your team's collaboration and resolve issues faster.

In the card view, click left arrow mceclip0.png or right arrow mceclip2.png icons to enlarge or converge an ActOn filters panel and list panel. This action allows you to perform a detailed analysis on an ActOn. 

Refresh icon to load the latest updates in the ActOns feed.

You can sort and order all ActOns in the second column by the following options using button.

Item Description
Created Date The date on which the ActOn generated for the first time.
Updated Date The date on which some updates done in an ActOn. For example, status has been changed from "acknowledged" to "in progress".
Priority Assigned level of importance (most important on top). Possible values are P0,P1,P2,P3,P4.
Newest on top Recently generated ActOns appear on top.
Oldest on top Past ActOns appear on top.

Search any ActOn by ActOn ID, Title, Signal ID, External ID, and Summary in the search bar to obtain your desired ActOn.

Table View

In the table view, the ActOns UI has been divided into 2 tabs: 

  1. Filters - applying filters helps you display the ActOns in the ActOns feed according to your filter criteria. Refer to this article for more information on filters.
  2. ActOns' feed - displays all ActOns in a list form.

In the table view, with the Manage Columns feature, you can control and reorder what columns are allowed on the listing page to work on the useful metrics to remediate an ActOn.

You can apply the following actions to one or more ActOns by checking the box next to each of them. Once you check box them, the Actions button will be enabled at the top.x

This Actions button is visible to users with roles - Global admin, Owner, Config manager, Responder, and Manager.

  • Mark me as Owner - makes you as a owner to an ActOn.
  • Change Priority - updates priority levels from P1 to P3 or P1 to P4 or P4 to P2.

Closing ActOns

You can close the ActOns from the listing page using the following procedure.  

1. Select the check box corresponding to the ActOns you want to close. 

2. Click the Close ActOns option. This will open a side panel where you can enter the reason for closing the ActOn.

3. Select the reason from the following options:

  • Benign – The ActOn does not pose a significant impact.
  • False positive – The ActOn was incorrectly identified as an anomaly.
  • Resolved – The ActOn has been successfully resolved.
  • Self-heal – The signal was automatically resolved without human intervention.
  • Closed by external system – The ActOn was closed by an external system.

4. Enter the resolution note in the text box provided. You can use formatting options to enhance the note if needed.

5. Enter the amount of time spent resolving this ActOn, in minutes.

6. Click Submit to close the ActOn.

The ActOn contains the following items in its UI:

  • Title: The ActOn title emerges from the type of signals that are correlated as a result of correlation rules. However, you can customize the title of an ActOn as per your desired criteria. The character limit for title is up to 160. 
  • Acton ID: ActOn ID is a discrete number assigned to an ActOn that is created from the internal monitoring system. Click on ActOn ID to learn about the Status, Priority, Owner, Classification, tags, etc.
  • Organizations: A list of organizations which are entitled to an ActOn
  • Tenants: A list of tenants who are notified of an ActOn
  • More details : Click to show or hide the details, such as First Signal Creation Time, Last Updated,  class, sub-class, category, and sub-category of an ActOn.
  • Sync ActOn: Users can now manually sync ActOn details to external applications, such as SOAR, ServiceNow, ConnectWise, and JIRA. For more information, refer Sync Acton section. 
  • Assign Priority: You can assign a Priority level to ActOn to distinguish which ActOns need attention first. To assign Priority to an ActOn, select one of the priorities from the drop-down on top of the ActOn.

  • Assign Stage: You can assign a stage to an ActOn by selecting the appropriate stage value, indicating its phase in the ActOn lifecycle. This helps track the progress and current phase of an ActOn more effectively.

 

  • Assign Team: You can assign a team to an ActOn. For more information, refer Team assignment to ActOns.
  • Assign Owner: You can assign a team member from the selected team as the owner of the ActOn, (or) you can choose to assign it to someone outside the team to work on. 

By default, the auto-validation system assigns the ROBO as the owner. However, you can assign a new owner to an ActOn to notify the respective personnel to take action against that ActOn. To assign an owner, click Owner on top of the ticket and assign yourself, or search and select a user using the search bar. You can assign any user as an owner who belongs to domain, organization or tenant. Refer to this article to learn what actions a ROBO can perform to resolve or close the ActOn.

  • Visibility: Domain and organization-level users can add their tenants and notify them about an ActOn being added.

To add ActOn visibility to tenants,

  1. Open an ActOn.
  2. On the ActOns page, click Visibility at the top right corner.
    A list of tenants appears.
  3. Select one or more tenants, and click Save.

  • Escalate: Click on the escalate button and select an escalation policy from the drop-down menu. This action allows you to escalate an ActOn, which is in a closed state, to an on-call member. The users with the roles - Global Admin, Responder, Owner, Manager, Config Manager can escalate the ActOn. Currently, this feature is applicable to domains, organizations, and tenants.

 Updating Multiple ActOns

To update the stage, status, notes, team, owner, and/or priority of multiple ActOns simultaneously, use the Update option.

To perform a bulk update of ActOns:

  1. Navigate to ResolutionsActOns. The ActOns home page opens.
  2. Click the kebab menu, point to Display, and select List View.
  3. Select the check boxes for the ActOns you want to update. This enables the Update option.
  4. Click Update to open the side sheet.
  5. Choose the status, priority, and/or stage for the selected ActOns.
  6. Select the team and owner to be assigned to the ActOn. 
  7. Provide notes. To add notes, refer to the Adding Floating Notes article.
  8. Click Confirm to apply the updates to all selected ActOns.

Syncing an ActOn with external ITSM apps

ActOn details can be synced with SOAR, ServiceNow, ConnectWise, or JIRA at the domain, organization, or tenant level, where ActOns are created as tickets in JIRA, ServiceNow, and ConnectWise, and cases in SOAR. This bidirectional synchronization ensures that any updates made to ActOns in Chronicle SOAR, ServiceNow, ConnectWise, or JIRA are automatically reflected in the Resolution Intelligence Cloud, and vice versa, enabling real-time data synchronization.

Both digital operations (digital ops) and security ActOns can be synced with external apps. However, for digital ops, synchronization is only available with JIRA, not with SOAR.

Prerequisites

Tenant mapping in JIRA, ConnectWise, ServiceNow, or SOAR is required, depending on the external application to which you want to sync the ActOn details. To map tenants, refer to the Mapping Tenants section.

To sync the ActOn with an external application manually:

    1. Open a Security or Digital Ops ActOn. 
    2. Click the Sync ActOn link corresponding to the ActOn ID. This opens the Sync ActOn window.

3. Click Sync Now corresponding to the external application with which you want to sync the ActOn details. Possible values:

    • SOAR (or)
    • ConnectWise
    • ServiceNow
    • Jira

Note: You can only view the ITSM app or SOAR that is enabled and configured in Integrations. Only one ITSM app can be enabled at a time.

Once the sync is successful, an external ID is created with a link. You can click on this ID to redirect to the respective external application to view the ActOn details.  

Tags

Tags help you classify ActOns. The tags are created in a key-value format. You can view the tags that are added through external systems, in addition to the tags you add in the ActOn workspace.

Adding tags

To add tags to an ActOn,

  1. Navigate to Resolutions --> ActOns.
    ActOns home page opens.
  2. Click the ActOn to which you want to add a tag. This opens the ActOn Workspace. 

3. Click Add Tag. This opens the side panel. 

4. Enter the tag in the key:value format and click the plus button to add the tag. You can add as many tags you want. 

5. Click Submit to associate tags to an ActOn. The added tags are visible next to the tags icon in the ActOn Workspace. 

ActOn Status

The signal status is determined by the most recent update received from the source monitoring system. The status of an ActOn is determined by the severity of each situation.

By default, an ActOn is assigned to any one of the following statuses: However, you are free to change the status of an ActOn to the status you desire at anytime once you create new statuses or rename the existing status. Once an ActOn is moved to a closed or resolved state, escalations to the on-call user stop.

Status

Description

New

ActOn has arrived recently and has not yet been acknowledged by the support team.

Acknowledged

The respondent has seen the ActOn and owns an ActOn.

In Progress
ActOn has acknowledged it and started working on it.

On hold

Put on hold due to awaiting evidence, awaiting for the user, etc.

Healed
ActOn got resolved on its own.
Resolved Remediation has taken and resolved the issue.

Closed

Remediation has taken and resolved the issue.

Priorities and their respective colors are assigned to each ActOn based on the score calculated from impact, likelihood, and confidence factors.

Priority

Color

Description

P4

Green

ActOn is resolved and has no impact on the asset.

P3

Yellow

The monitoring system has detected an issue. For example, CPU cache is low.

P2

Light Orange

The ActOn has been acknowledged in the source system or the monitored object is under scheduled maintenance.

P1

Orange

The monitoring system has detected a serious problem. For example, a service is unavailable or a maximum usage threshold has been exceeded.

P0

Red

A potential issue is detected and poses a serious impact on assets if not resolved within the SLA period.

Changing status of an ActOn

You have the flexibility to tailor the existing statuses to match the specific needs and workflows of your organization. You can often modify existing ones to align with your business requirements, which ensures collaboration and productivity. Before changing the status, you should configure your desired status by using the Configurable Statuses procedure.

To change the existing status to a new one,

  1. Navigate to Resolutions --> ActOns.
    ActOns home page opens.
  2. Click the ActOn in which you would prefer to change the status.
  3. Click Status located below the ActOn name.
    A drop-down menu opens where you can find the statuses that you have configured.
  4. Select your desired status and click Done.
    Your desired status will be assigned to that ActOn.

In case you are closing the ActOn, follow these additional steps:

5. Select the status as Closed and click Done. This will open a side panel where you can enter the reason for closing the ActOn.

6. Select the reason from the following options:

  • Benign – The ActOn does not pose a significant impact.
  • False positive – The ActOn was incorrectly identified as an anomaly.
  • Resolved – The ActOn has been successfully resolved.
  • Self-heal – The signal was automatically resolved without human intervention.
  • Closed by external system – The ActOn was closed by an external system.

7. Enter the resolution note in the text box provided. You can use formatting options to enhance the note if needed.

8. Enter the amount of time spent resolving this ActOn, in minutes.

9. Click Submit to close the ActOn.

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.