My team needs to clear an alert with a totally different department before we consider it "published" for the purposes of audit etc. I need a SIMPLE way to mark an alert as "in review" that has the ability to make the distinction between "published" and "in review" clear on dashboards.
Requirements: 1. something simple that a non-tech team won't mess up 2. readable by dashboards
I created a new "Security Domain" called Development, all my new rules have a notable that are then assigned to that until I am satisfied they are "in production" so to speak. Once they go in production i would put them into the relevant security domain.
This can easily be identified in the Incident Review Dashboard.