Skip to main content
Skip table of contents

Approve or Deny SmartResponse Actions in the Web Console

On an Alarm card, you can determine whether an alarm has SmartResponse actions that are pending approval by the status displayed in the bottom bar of the card. 

Pending SmartResponses are only visible in the Alarm grid view by selecting an alarm and looking in the SmartResponse Actions section of the Inspector panel.

You can approve or deny SmartResponse actions from the Alarm card view on the Alarms page or wherever else you are able to view detailed alarm information (such as in the Current Case panel or the Inspector panel of the Alarm grid view).

To approve or deny SmartResponse actions:

  1. On the navigation bar, click Alarms,
  2. Select an alarm with a pending SmartResponse.
  3. Click the Inspector tab to expand the Inspector panel, if necessary. 
    The Inspector panel opens. In the SmartResponse actions section, Approve and Deny buttons are displayed for each pending SmartResponse action. At the bottom of the section, the action run order is indicated by one of the following messages:
    • Run actions at the same time. Indicates that none of the SmartResponse actions depend upon each other, and that you can run any one of them regardless of whether the others are run.
    • Run actions in the order listed. Indicates an interdependency that requires each action to run before the subsequent action can be run. To properly approve these interdependent actions, they need to be approved in the order that they are listed from top to bottom.
  4. Click either Approve or Deny for each SmartResponse action in accordance with the order requirements. 
    If you select Deny, the SmartResponse action does not run and its status in the Inspector panel changes to "denied." Administrators on the approval list may receive an email regarding the action (depending on whether their SIEM Person records include a valid email address). 
    If you select Approve and the SmartResponse action requires additional approvals, the Approved button dims to indicate that you have approved it. The number of additional approvals needed to run the action is displayed to the left of the button. 
    If no additional approvals are needed for a SmartResponse action, the Approved button is replaced with a message indicating whether the action succeeded or failed. 
    After all the actions have been either approved or denied, the SmartResponse action status on the alarm card updates to one of the following depending on their collective rates of success, failure, and/or denial:
    • Succeeded
    • Partial Failure
    • Failed
    • Partial Denied
    • Denied
      Administrators on the approval list may also receive an email regarding the action results (depending on whether their SIEM Person records include a valid email address).
  5. (Optional) Click the arrow to collapse the Inspector panel.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.