1 Incident = 1 Ticket
Octiga recognises that too many alerts are a serious problem, leading at best to alert fatigue and at worst to alert ignoring.
The Solution: Incident alerting
Investigations and remediations should be addressed at the incident level. Incidents can be described as some similar or related set of actions that all pertain to an activity by a user, mal-actor or system. The right way to address this is where all related actions to create a single ticket in the PSA and precipitate a single investigation and remediation.
A baselines Example
if an administrator of a single tenant changes multiple configurations to achieve a goal, these might trigger multiple baseline deviations and hence multiple alerts. The Octiga system will create a ticket from the first alert for baselines deviating on that tenant and continue to add new alerts to the same ticket until that ticket is marked as completed in the PSA. After this, a new ticket will be created.
A Breach Example
If a user has some unusual activity, such as logging in and downloading files from an unusual location, then this might trigger multiple alerts over a period of time. The Octiga system will create a ticket from the first alert for this activity for that user on that tenant and continue to add new activity alerts for that same user to the same ticket until that ticket is marked as completed in the PSA. After this, a new ticket will be created.