This topic describes how to access the Alerts view, details about the Alerts view, and understanding various aspects of alerts. In the Alerts view you can browse through various alerts, filter them, and group them to create incidents.
To access the Alerts view, in the Security Analytics menu, select Incidents > Alerts. The All Alerts view is displayed. You can customize the Alerts view to view alerts as per your requirement.
The Alerts view offers several details and commands to help customize the view and display alerts.
Alerts View Details
The options panel in the All Alerts view displays various parameters that can be used to customize the alert display.
The following table describes the various parameters that you can select to filter the alerts and customize the view. The filter parameters you choose to filter the alerts are persisted and retained when you navigate away from the present view to switch between tabs, sessions or when you navigate to the details screen. The Reset Selection option enables you to reset the filter options to the default value.
The top half of the Alert panel displays the graphical representation of the trend of alerts over time (grouped by each source) that match the filter criteria as per the parameters chosen.
The bottom half of the Alert panel displays the alert details. The following table describes the various alert details.
|Date Created||Displays the date when the alert was created.|
|Severity||Displays the severity of the alert. The values are from 1 through 100.|
|Name||Displays the name of the alert.|
|Source||Displays the source of the alert. The source of the alerts can be ECAT, Malware Analytics, ESA, Investigator service or Reporting Engine.|
|# Of Events||Indicates the number of events contained within an alert. |
Note: This varies depending on the source of the alert. For example, ECAT and MA alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
|Host Summary||Displays details of the host like host name from where the alert was triggered. The details may include information about the source and/or destination devices in an Alert. Some alerts may describe events across more than one device.|
|User Summary||Displays the summary of the user or users associated with the events in the Alert.|
|Incident ID||Displays the Incident ID of the incident of which the alert belongs to. If there is no incident ID it implies that the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.|
|Action||Allows you to investigate the alert further. The available options to investigate further are different for different types of Alerts.|
For an ECAT alert the available option is View ECAT Analysis. It allows you to view the host analysis in the ECAT client, if you have it installed on your client machine. For an ESA or Reporting Engine the available options are Investigate Events, Investigate Device IP Address, Investigate Source IP Address, and Investigate Destination IP Address. It allows you to view the events in the Investigator view, or view similar Events (for example. by the same source or destitution IP address). For a Malware Analytics the available option is View Malware Analysis. It allows you to view the Event details from the malware analysis.
The bottom half of the Alert panel provides you options to perform various operations. The table describes the various commands available.