The interface within Threat Response could be made simpler. To give a specific example, let's say you have uploaded the details of a malicious email to Threat Response in order to pull all the instances of that email being delivered internally, and it turns out that there have been something like 10,000 emails delivered already.

When you dig into "patient zero" (i.e. the mailbox that first received the malicious email and forwarded it onward) within Threat Response, Threat Response will synthesize the data and you will be able to see the user's vectors such as who the sender is (e.g. some attacker at example.com) and all 10,000 recipients of the email.

Now, if this incident was set up with alerts, then for every single user it creates a corresponding alert, such that you now have 10,000 separate alerts that you have to scroll through to view. I propose that Threat Response should be able to simplify this a bit, even though I don't know what kind of solution it would entail. That's for them to figure out; I just know that scrolling through 10,000 alerts doesn't make things simple for me.

Going further with the idea of improving the interface, when you look at any big company, most of them already have some kind of a centralized platform when it comes to ticketing tools, such as ServiceNow, BMC Remedy, Jira, or Splunk. The platform is there to provide a single pane of glass, where you can integrate everything and assign tickets to the team from that platform.

When it comes to Threat Response, it has its own separate portal and once you have set up your security team in there, you can assign tickets within it. However, I think that this is an unnecessary extra dashboard and there should be more opportunities to tie the portal data into something like ServiceNow and then simplifying from there onward.

Again, I can only wonder what the solution here would look like, but let's take the incident with 10,000 alerts; how could we sync or integrate that incident in ServiceNow, and what would it look like? Ultimately, I think being able to more easily integrate Threat Response incident data into other kinds of ticketing platforms would really help improve our experience.

The product has some quirks that could be improved.

If the reporting gets improved then it would be better, but the product is running amazing as it is.