This procedure is useful when you want to look at alerts with a particular criteria, for example, alerts from a particular source, alerts of a particular severity, alerts from a source that are not part of an incident, and so on. Additionally, you can drill down to specifics of an alert to analyze it and investigate further into an alert if required.
Ensure that you understand the Alert view parameters before you proceed to filter the Alerts view. For more information, see Alerts View.
The following example describes how you can customize the view to display all ESA alerts with severity level 5.
In the Security Analytics menu, select Incidents > Alerts.
The All Alerts view is displayed.
In the options panel, select All Data for TIME RANGE.
- Select Event Stream Analysis as SOURCE.
Set the SEVERITY level to 5.
The right side panel shows a graphical representation of all ESA alerts of sev 5.
Hover on the graph to view details about the number of alerts triggered on a particular day.
The alert details are displayed in the details view in the bottom half of the page.
Double-click on an alert.
The Alert Details view is displayed.
The date of creation, the type of alert, description of the alert, the number of events, the user and file information, and the size of the alert are the details displayed. You can investigate the alert further as required.
Under the Actions column, select Investigate Events.
The Investigate > Navigate view of the service is displayed. You can select the options available to investigate further.
- Click Back to Alerts to navigate to the All Alerts view.
- If you want to restore defaults, click Reset Selection.
For details on various parameters and description in the Incidents > All Alerts view, see Alerts View.