This topic describes how to access the Alerts view, details about the Alerts view, and understanding various aspects of alerts. In the Alerts view you can browse through various alerts, filter them, and group them to create incidents.
To access the Alerts view, in the Security Analytics menu, select Incidents > Alerts. The All Alerts view is displayed. You can customize the Alerts view to view alerts as per your requirement.
The Alerts view offers several details and commands to help customize the view and display alerts.
Alerts View Details
The options panel in the All Alerts view displays various parameters that can be used to customize the alert display.
The following table describes the various parameters that you can select to filter the alerts and customize the view. The filter parameters you choose to filter the alerts are persisted and retained when you navigate away from the present view to switch between tabs, sessions or when you navigate to the details screen. The Reset Selection option enables you to reset the filter options to the default value.
Select a time range to view alerts in that time range. For example:
Select Last 24 Hours to view alerts triggered in the last 24 hours.
Select All Data to view alerts triggered from the time the service was added.
Select Custom and provide a date range to view alerts triggered in that time frame.
Indicates the number of Alerts categorized depending on their sources. For example, RSA ECAT(86) indicates there are 86 alerts triggered by RSA ECAT.
Select one or multiple sources to view alerts triggered by the selected sources. For example, to view ECAT Alerts only, select RSA ECAT as the source.
Indicates the type of events in the alert, for example, logs, network sessions, and so on.
Indicates the severity of the alerts. Select a value to view the alerts of the required severity. For example, to view alerts of severity 75, select 75 as the severity level.
PART OF INCIDENT?
Indicates the number of Alerts categorized depending whether they belong to an incident or not. For example, Yes(180) indicates there are 180 alerts that are part of incident.
Select Yes to view alerts that are part of an incident. Select No to view alerts that are not part of any incident.
If geo-ip is enabled on the Decoder, filters on the country tagged on the source device in an event within the Alert.
If geo-ip is enabled on the Decoder, filters on the country tagged on the destination device in an event within the Alert.
Resets filter options to default values.
The top half of the Alert panel displays the graphical representation of the trend of alerts over time (grouped by each source) that match the filter criteria as per the parameters chosen.
The bottom half of the Alert panel displays the alert details. The following table describes the various alert details.
Displays the date when the alert was created.
Displays the severity of the alert. The values are from 1 through 100.
Displays the name of the alert.
Displays the source of the alert. The source of the alerts can be ECAT, Malware Analytics, ESA, Investigator service or Reporting Engine.
# Of Events
Indicates the number of events contained within an alert.
Note: This varies depending on the source of the alert. For example, ECAT and MA alerts always have one Event. For certain types of alerts, a high number of events may mean that the alert is more risky.
Displays details of the host like host name from where the alert was triggered. The details may include information about the source and/or destination devices in an Alert. Some alerts may describe events across more than one device.
Displays the summary of the user or users associated with the events in the Alert.
Displays the Incident ID of the incident of which the alert belongs to. If there is no incident ID it implies that the alert does not belong to any incident and you can create an incident to include this alert or the alert can be added to an existing incident.
Allows you to investigate the alert further. The available options to investigate further are different for different types of Alerts.
For example: For an ECAT alert the available option is View ECAT Analysis. It allows you to view the host analysis in the ECAT client, if you have it installed on your client machine. For an ESA or Reporting Engine the available options are Investigate Events, Investigate Device IP Address, Investigate Source IP Address, and Investigate Destination IP Address. It allows you to view the events in the Investigator view, or view similar Events (for example. by the same source or destitution IP address). For a Malware Analytics the available option is View Malware Analysis. It allows you to view the Event details from the malware analysis.
The bottom half of the Alert panel provides you options to perform various operations. The table describes the various commands available.