Triage open alerts

This task is part of a workflow defined in Working with Alerts Based on Firewall Events.

Triage the open alerts, especially if more than one have yet to be investigated:

• See Monitoring Secure Cloud Analytics Alerts Generated from FTD Events for more information on cross-launching from CDO to Secure Cloud Analytics, and viewing alerts.

Ask the following questions:

• Have you configured this alert type as high priority?

• Did you set a high sensitivity for the affected subnet?

• Is this unusual behavior from a new entity on your network?

• What is the entity's normal role, and how does the behavior in this alert fit that role?

• Is this an exceptional deviation from normal behavior for this entity?

• If a user is involved, is this expected behavior from the user, or exceptional?

• Is protected or sensitive data at risk of being compromised?

• How severe is the impact to your network if this behavior is allowed to continue?

• If there is communication with external entities, have these entities established connections with other entities on your network in the past?

If this is a high priority alert, consider quarantining the entity from the internet, or otherwise closing its connections, before continuing your investigation.