Review Situation Room recommendations
The Situation Room Recommendations tab suggests actions you can take that could improve the speed and accuracy of resolving an incident. It also includes reminders for adding missing information when an incident is resolved. When you first access the Situation Room from the Incidents page, the Situation Room opens with the Recommendations tab open.
The following sections explain the suggestions the Recommendations tab can offer, and your options for each.
Assign the incident to a user
If the incident you are viewing is unassigned, the Recommendations tab suggests assigning the incident to a user. You can change the user assignment using the incident properties at the top of the page, or you can use the assignment buttons. Click Assign to choose a user from a list, or Assign to Me to assign the user to yourself.
The tab always recommends assigning an unassigned incident, unless the incident is already closed.
Add a resolving step
If the incident is resolved or closed and has no resolving steps associated with it, then the tab suggests adding a resolving step. You can navigate to the Comments pane to add a resolving step, or you can click Add Resolving Step, which opens the Resolving Steps section of the Comments pane for you.
Adding resolving steps to an incident makes those steps available to analysts in the future for similar incidents, which can shorten resolution time.
Review similar incidents
The Recommendations tab in the Situation Room displays up to ten incidents that are the most similar to the incident you are currently viewing. If there are incidents that were resolved in the past which are similar to the current incident, they display in this section.
Similarity between incidents is determined is configured using the Similar Incidents feature. In general, similarity reflects the number of alerts with the same values which are present in both incidents. Similar incidents displayed on the Recommendations tab contain alerts that closely resemble the alerts in the current incident.
You can hover over the graph of each similar incident to view the distribution of similar and dissimilar alerts between the current incident and the similar incident.
The color-coded diagram displays the following information:
The purple area indicates the percentage of similar alerts in both incidents.
The blue area indicates the percentage of alerts that are in this incident only.
The red area indicates the percentage of alerts that are in the similar incident only.
Incident with resolving steps appear higher in the list than other incidents with the same similarity and no resolving steps. If there are resolving steps associated with the similar incident, it is marked with the check mark icon (shown above). Other icons include a chain link, which links to the individual incident, and a wrench, which indicates the incident occurred when at least one maintenance window was in effect.
To view details about the similar incident, click the Situation Room link for that incident.
 |
The similar incident then opens in the Situation Room in a new tab.
Read through the timeline and any comments and resolving steps associated with the similar incident.
By reviewing the information for incidents similar to the one you're working on, you can locate resolving steps in the incident comments that may help you spend less time resolving the current incident.