Handle security incidents using AWA

  • Release version: Xanadu
  • Updated November 26, 2025
  • 1 minute to read

    • Using AWA, security analysts can handle the security incidents assigned to them, which are available in the inbox folder of SIR Workspace.

    Before you begin

    Role required: sn_si_analyst and awa_agent

    Procedure

    1. Navigate to Workspaces > Security Incident Response Workspace.
    2. Select the Inbox button.
    3. Select your presence state using the Status field.
      Available presence states are:
      • Available: Analyst is available and can accept security incidents. Incidents are available for picking only to agents whose status is available.
        Note:
        If auto-assigned is configured, security incidents are directly assigned to you.
      • Away: Analyst isn’t available. Incoming incidents and not assigned.
      • Offline: The analyst is offline. Incoming incidents and not assigned. This is the default option.
      If your status is available, based on the configured service channel, queues and assignment rules, the incoming incidents are assigned to all the available security analysts including you. These incidents are either listed for you to accept or reject (if configured) or are auto-assigned to you.
    4. You can Accept or Reject a security incident.
      Note:
      Reject option is only available if rejection handling is enabled in AWA. If rejection handling isn’t enabled in AWA, incident is assigned to you on the basis of the configured service channel, queues, assignment rules, and your availability.
      When you accept a security incident, it’s assigned to you. When you reject a security incident, you have to select the reason for rejecting the security incident.