Triage open alerts
This task is part of a workflow defined in Working with Alerts Based on Firewall Events.
Triage the open alerts, especially if more than one have yet to be investigated:
See Monitoring Secure Cloud Analytics Alerts Generated from FTD Events for more information on cross-launching from Security Cloud Control to Secure Cloud Analytics, and viewing alerts.
Ask the following questions:
Have you configured this alert type as high priority?
Did you set a high sensitivity for the affected subnet?
Is this unusual behavior from a new entity on your network?
What is the entity's normal role, and how does the behavior in this alert fit that role?
Is this an exceptional deviation from normal behavior for this entity?
If a user is involved, is this expected behavior from the user, or exceptional?
Is protected or sensitive data at risk of being compromised?
How severe is the impact to your network if this behavior is allowed to continue?
If there is communication with external entities, have these entities established connections with other entities on your network in the past?
If this is a high priority alert, consider quarantining the entity from the internet, or otherwise closing its connections, before continuing your investigation.