Response

The Ticket and Explanation features enable effective responses to threats detected by Logpresso Sonar. When a real-time or batch detection rule identifies a suspected threat on a controlled system, a ticket is generated. The assigned individual addresses the threat and completes the ticket upon approval. If asked to provide an explanation for a security event, the individual must articulate the reasons behind the suspected security threat or event. The explanation process concludes once an approver confirms whether the event was a false positive or a true security breach.

The key distinction between a ticket and an explanation process lies in responsibility. A ticket is managed by an IT staff member with a Logpresso Sonar account, enabling them to respond to the threat. In the case of an explanation, an explanation request is sent to the employee involved in the suspected activity. Registered employees can receive an explanation request via email, even without a Sonar login account. However, unregistered employees cannot receive an explanation request, regardless of having a Sonar account.

Since tickets must be addressed by the security team, it is recommended to adjust your detection scenarios to keep the daily ticket volume at a manageable level.

To ensure the response process functions correctly, configure an explanation template and maintain accurate employee database details, including email addresses.