As you monitor alerts, you can assign alerts to different users and roles, track the alert from origination to resolution, and annotate the alert rule by adding information to the knowledge base.
During the regular life cycle of an alert, a user does the following:
Opens an alert view and either pick an alert already assigned to them or claim an unassigned alert.
Views the alert details, such as the metadata, information about the alert rule that generated the alert, the triggering event and its identity information, and any knowledge base information associated with the alert.
Determines the next step and add comments about the decision:
Close as harmless
Respond appropriately, and then close
Investigate further