Incident Management: Alerts View

Document created by RSA Information Design and Development on Nov 23, 2016
Version 1Show Document
  • View in full screen mode
  

This topic describes how to access the Alerts view, details about the Alerts view, and understanding various aspects of alerts. In the Alerts view you can browse through various alerts, filter them, and group them to create incidents.

To access the Alerts view, in the Security Analytics menu, select Incidents > Alerts. The All Alerts view is displayed. You can customize the Alerts view to view alerts as per your requirement.

all_alerts_view.png

Features

The Alerts view offers several details and commands to help customize the view and display alerts.

Alerts View Details

The options panel in the All Alerts view displays various parameters that can be used to customize the alert display.

The following table describes the various parameters that you can select to filter the alerts and customize the view. The filter parameters you choose to filter the alerts are persisted and retained when you navigate away from the present view to switch between tabs, sessions or when you navigate to the details screen. The Reset Selection option enables you to reset the filter options to the default value.

                                            
ParameterDescription
TIME RANGE

Select a time range to view alerts in that time range. For example:

  • Select Last 24 Hours to view alerts triggered in the last 24 hours.
  • Select All Data to view alerts triggered from the time the service was added. 
  • Select Custom and provide a date range to view alerts triggered in that time frame.
SOURCE

Indicates the number of Alerts categorized depending on their sources. For example, RSA ECAT(86) indicates there are 86 alerts triggered by RSA ECAT.

Select one or multiple sources to view alerts triggered by the selected sources. For example, to view ECAT Alerts only, select RSA ECAT as the source.

TYPEIndicates the type of events in the alert, for example, logs, network sessions, and so on.
SEVERITYIndicates the severity of the alerts. Select a value to view the alerts of the required severity. For example, to view alerts of severity 75, select 75 as the severity level.
PART OF INCIDENT?

Indicates the number of Alerts categorized depending whether they belong to an incident or not. For example, Yes(180) indicates there are 180 alerts that are part of incident.

Select Yes to view alerts that are part of an incident. Select No to view alerts that are not part of any incident.

SOURCE COUNTRYIf geo-ip is enabled on the Decoder, filters on the country tagged on the source device in an event within the Alert.
DESTINATION COUNTRYIf geo-ip is enabled on the Decoder, filters on the country tagged on the destination device in an event within the Alert.
reset_selection_button.png Resets filter options to default values.

The top half of the Alert panel displays the graphical representation of the trend of alerts over time (grouped by each source) that match the filter criteria as per the parameters chosen.

Alert Details

The bottom half of the Alert panel displays the alert details. The following table describes the various alert details.

                                                
FieldDescription
Date CreatedDisplays the date when the alert was created.
SeverityDisplays the severity of the alert. The values are from 1 through 100. 
NameDisplays the name of the alert.
SourceDisplays the source of the alert. The source of the alerts can be ECAT, Malware Analytics, ESA, Investigator service or Reporting Engine.
# Of Events

Indicates the number of events contained within an alert.

Note: This varies depending on the source of the alert. For example, ECAT and MA alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.

Host SummaryDisplays details of the host like host name from where the alert was triggered. The details may include information about the source and/or destination devices in an Alert. Some alerts may describe events across more than one device.
User SummaryDisplays the summary of the user or users associated with the events in the Alert.
Incident IDDisplays the Incident ID of the incident of which the alert belongs to. If there is no incident ID it implies that the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.
Action

Allows you to investigate the alert further. The available options to investigate further are different for different types of Alerts.

For example:
For an ECAT alert the available option is View ECAT Analysis. It allows you to view the host analysis in the ECAT client, if you have it installed on your client machine. For an ESA or Reporting Engine the available options are Investigate Events, Investigate Device IP Address, Investigate Source IP Address, and Investigate Destination IP Address. It allows you to view the events in the Investigator view, or view similar Events (for example. by the same source or destitution IP address). For a Malware Analytics the available option is View Malware Analysis. It allows you to view the Event details from the malware analysis.

Options

The bottom half of the Alert panel provides you options to perform various operations. The table describes the various commands available.

                        
CommandAction
Create_incident_button.png Select this to create an incident. Refer to Create an Incident Manually.
add_to_incident.png Select this to add the selected alert to an existing incident. Refer to Add Alerts to an Existing Incident.
Icon-DeleteText.png Select this to delete alerts. Refer to Delete Alerts.
You are here
Table of Contents > Incident Management Reference Information > Alerts View

Attachments

    Outcomes