This topic tells you how to filter alerts and customize the alert view as per your requirement.
This procedure is useful when you want to look at alerts with a particular criteria, for example, alerts from a particular source, alerts of a particular severity, alerts from a source that are not part of an incident, and so on. Additionally, you can drill down to specifics of an alert to analyze it and can investigate further into an alert if required.
Ensure that you understand the Alert view parameters before you proceed to filter the Alerts view. For more information, see Alerts View.
The following example describes how you can customize the view to display all ESA alerts with severity level 5.
- In the Security Analytics menu, select Incidents > Alerts.
The All Alerts view is displayed.
- In the options panel, select All Data for TIME RANGE.
Note: By default, alerts from the last 5 days are displayed. To see alerts for a different period, change the time range.
- Select Event Stream Analysis as SOURCE.
- Set the SEVERITY level to 5.
The right side panel shows a graphical representation of all ESA alerts of sev 5.
Note: When there is no data for a selected filter, the filter will be disabled. Click Reset Selection to display default selection criteria. This applies to alerts, incidents, and remediations. For example, in the previous graphic if you change Time Range to Last Hour and there are no alerts for ESA in the last hour, source Event Stream Analysis (0) will be grayed out. In such a case, click Reset Selection. Default criteria for all options is displayed.
- Hover on the graph to view details about the number of alerts triggered on a particular day.
The alert details are displayed in the details view in the bottom half of the page.
Note: You can select an alert to create incidents, add an alert to an existing incident, or investigate an alert from this view. For more details see Add Alerts to an Existing Incident.
- Double-click on an alert.
The Alert Details view is displayed.
- The date of creation, the type of alert, description of the alert, the number of events, the user and file information, and the size of the alert are the details displayed. You can investigate the alert further as required.
Note: You can click Show Raw Alert to view the alert information in the raw format.
- Under the Actions column, select Investigate Events.
Note: The available options under the actions menu is different for different types of Alerts. For details, see Alerts View.
The Investigate > Navigate view of the service is displayed. You can select the options available to investigate further.
- Click Back to Alerts to navigate to the All Alerts view.
- If you want to restore defaults, click Reset Selection.
For details on various parameters and description in the Incidents > All Alerts view, see Alerts View.