Can I mark Events as "suspicious" or "reviewed" for SOC triage?

Yes, contact us to enable the SOC (Security Operations Center) quick-label feature.

Triaging with Quick Labels

Quick Labels are shown as one-click menu items in the dropdown for each Event when you press the labels icon. They're intended to be a fast triaging tool to characterize Events that warrant attention.quick-label_suspicious_reviewed_Screen_Shot_2019-03-17_at_3.56.00_PM.png

Quick Label Sources

The labels shown on the dropdown list come from two sources, in order of precedence:

  1. Domain-level Quick Levels
    The comma-separate list of labels specified at https://camio.com/domains becomes the standard list shown to all people viewing Events from an account from that domain.
  2. User-level Most Recently Used Labels
    As users apply labels to Events, the most recently used labels are appended to the dropdown list (following those from domain-level specification).

 

Domain Quick Labels

If you're a domain administrator, enter a comma-separate list of labels that you'd like all people to use when triaging Events from accounts using your domain at:
https://camio.com/domains

Screen_Shot_2019-03-22_at_8.23.14_PM.png

Most Recently Used Labels

Click Edit... if you need to add or remove a label that isn't yet shown in your most recently used list. After you press Save, the newly added/removed label will appear in your most recently used list and will be saved locally in your browser.
Screen_Shot_2019-03-17_at_8.41.15_PM.png

Screen_Shot_2019-03-17_at_8.41.37_PM.png

  


The NOT logical operator may also be helpful so that you can use a query like this to review and share those Events that are suspicious and not yet reviewed:

suspicious not reviewed

or, equivalently:

suspicious -reviewed

That way, SOC personnel can bookmark URLs that they want to see most commonly like:

https://camio.com/app/#search;q=suspicious+-reviewed

 

Have more questions? Submit a request

Comments