Dear Netskope community, at the level of Malware/Malsites, there is something similar to the incident part, where the analyst can deal with the case opened by Q-Radar, like to sign the incident and classify it, what do you do with these events or better what should I do?
Another question, is it interesting to insert the hashes of Block events in IOCs lists, I ask it because the rule action is already a Block, I understand that inserting the hash already blocked in an IOC list is something redundant, right or wrong?
I fully understand the possibilities of integration of Netskope Exchange with Service-Now, Siem Q-radar etc, but my question is more focused on operational procedure, the problem we find here is as to what action to take in the face of dozens of alerts forwarded to Service-now via Q-radar, and at each Malware event the Soc people keep registering hash in IoC list and it's like wiping ice, there are dozens of events, we have this implemented for a Tenant with more than 9k users in Colombia Customer and what is the gain obtained from this action? even if the event itself is already a Block by the TP?
Can you say if in the future we will have in the Malware and Malicious Incidents part, something similar to what already exists within DLP, where it is possible to sign the incident, make the risk classification, and prioritize the event? Because at least in this way it is possible to identify the analyst who is working on the incident and validate what action was taken.
Thank you all.