Incident Management: Filter Alerts

Document created by RSA Information Design and Development on Nov 23, 2016
Version 1Show Document
  • View in full screen mode
  

This procedure is useful when you want to look at alerts with a particular criteria, for example, alerts from a particular source, alerts of a particular severity, alerts from a source that are not part of an incident, and so on. Additionally, you can drill down to specifics of an alert to analyze it and investigate further into an alert if required.

Prerequisites

Ensure that you understand the Alert view parameters before you proceed to filter the Alerts view. For more information, see Alerts View.

Procedure

The following example describes how you can customize the view to display all ESA alerts with severity level 5.

  1. In the Security Analytics menu, select Incidents > Alerts.

    The All Alerts view is displayed.

    all_alerts_view.png

  2. In the options panel, select All Data for TIME RANGE.

    Note: By default, alerts from the last 5 days are displayed. To see alerts for a different period, change the time range.

  3. Select Event Stream Analysis as SOURCE.
  4. Set the SEVERITY level to 5.

    filter_alert.png

    The right side panel shows a graphical representation of all ESA alerts of sev 5.

    Note: When there is no data for a selected filter, the filter will be disabled. Click Reset Selection to display default selection criteria. This applies to alerts, incidents, and remediations. For example, in the previous graphic if you change Time Range to Last Hour and there are no alerts for ESA in the last hour, source Event Stream Analysis (0) will be grayed out. In such a case, click Reset Selection. Default criteria for all options is displayed. 

  5. Hover on the graph to view details about the number of alerts triggered on a particular day.

    alert_time_detail.png

    The alert details are displayed in the details view in the bottom half of the page.

    Note: You can select an alert to create incidents, add an alert to an existing incident, or investigate an alert from this view. For more details see Add Alerts to an Existing Incident.

    all_alert_details.png

  6. Double-click on an alert.

    The Alert Details view is displayed.

    alert_detail.png

    The date of creation, the type of alert, description of the alert, the number of events, the user and file information, and the size of the alert are the details displayed. You can investigate the alert further as required.

    Note: You can click Show Raw Alert to view the alert information in the raw format.

  7. Under the Actions column, select Investigate Events.

    alert_actions.png

    Note: The available options under the actions menu is different for different types of Alerts. For details, see Alerts View.

    The Investigate > Navigate view of the service is displayed. You can select the options available to investigate further.

  8. Click Back to Alerts to navigate to the All Alerts view.
  9. If you want to restore defaults, click Reset Selection.

For details on various parameters and description in the Incidents > All Alerts view, see Alerts View.

Previous Topic:Review Alerts
You are here
Table of Contents > Review Alerts > Filter Alerts

Attachments

    Outcomes