I like the idea of setting a custom attribute but I can't see how to set it based on a Business Unit.
I can create a new attribute - this is fine.
I can grant a role access to certain values of this attribute.
Now I want to set the attribute automatically if either of the two conditions are hit:
1) A policy their group is responsible is hit ( I can set the response rule for this)
or
2) A general policy is hit by someone in their business unit. (I can't do this because the only available response rule conditions are endpoint location, incident type, incident match count, protocol or endpoint destination, severity)
I agree that every software product ever written has flaws, and actually it's better for Vontu to have spent their development dollars on the detection engine rather than the UI. Hopefully this will evolve and mature if Symantec look after the product properly, because I think it is worth it.
Incidentally I have a separate problem with roles, any role that I add a Business Unit condition on cannot actually look at indicent details. It gets an error. I have a case open with Symantec on this but they don't seem to know how to fix it.
Would I be better off upgrading to 10.5 or 11.0?