...
As said before, SecOps is mainly based on alerts. Alerts mark the very first actions to do when users enter the application. Once one or more suspicious alerts are detected, or even a potentially dangerous one, the next step is to analyze the content of the threat and the related entities and open an investigation to track every action taken by the user and share the content with the rest of the users in the app.
Click the Triage button the top navigation bar to access this area.
...
How to apply a filter?
You can filter both alerts and investigations by clicking key elements in the Dashboard widgets, or accessing the Triage section directly and defining the required criteria you want to filter by.
...
| Rw ui steps macro |
|---|
After accessing the Triage area, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range.  After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.  | Anchor |
|---|
| filteroptions |
|---|
| filteroptions |
|---|
|
Then, set the conditions you want to filter by. These are the available options:Keywords | Enter one or several words to filter alerts/investigations that contain them in their name, details, etc. |
|---|
Subdomains | This option will only appear if you’re working on a multitentant domain. Use it to filter by children domains. |
|---|
Alert priority | Choose the alert priority or priorities you want to filter by (All, Unknown, Critical, High, Medium, Low, or Info). You can choose a single priority or several ones as required. | Note |
|---|
This option won't appear if you select Investigations in the Showing option next to the Filter button. |
|
|---|
Alert type | Choose the alert type you want to filter by (All, Model, Analytics, Observation, Detection or Behaviour). | Note |
|---|
This option won't appear if you select Investigations in the Showing option next to the Filter button. |
|
|---|
Assigned to | Select the user who was assigned the investigation. | Note |
|---|
This option won't appear if you select Alerts in the Showing option next to the Filter button. |
|
|---|
Entity field / Filter value | Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity field drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs. If you add more than one filter, you can select AND or OR to either retrieve values that match all the criteria or at least one of them.  |
|---|
You can also select the Advanced Filters button to filter by the following criteria: | Note |
|---|
There won't be any advanced filter if you select Investigations in the Showing option next to the Filter button. |
Alert ID | Enter an alert ID if you want to filter only a specific alert. You can get the ID of a SecOps alert by hovering over the name of an alert in the Description column.  Image Removedin the Alert ID column of the results retrieved.  Image Added |
|---|
Alert status | Choose the alert status you want to filter by (All, Unread, Updated, False positive, New, Watched, Closed, Reminder, Recovery, or Anti-flood). |
|---|
City | Write the name of the cities you want to filter by. When you write a city name, it will appear in the dropdown if it is available. This parameter only applies to alerts. |
|---|
Country | Select the country or countries you want to filter by from the available ones. This parameter only applies to alerts. |
|---|
ATT&CK Tactic | Filter by one or several ATT&CK Tactics. |
|---|
ATT&CK Technique | Filter by one or several ATT&CK Techniques. |
|---|
Impact filter | Use this option if you want to filter elements by their impact. You must indicate the required formula to be applied (equals to, greater than...) and specify the required value. |
|---|
 Image Removed Image AddedGroup by | Choose how you want to group the filtered results: Entity - This is the default option. Alerts with the same entities will be grouped in a box, regardless of the type of alert. The entities will be indicated at the top of each box.
Alert type - In this case, alerts will be grouped by type. Each group will display the name or definition of the alert and their MITRE tactics and techniques. Click a group to see all the occurrences of the alert over time. When you choose this grouping criteria, each alert group in the results will show an Actions menu. Click it to access the following options:  Add to investigation - Add the alert group to your investigation list. Change status - Click to change the status of all the alerts in this group. You will access the Alert status change window. Here, choose the new status of the alerts from the list, and check the Add annotation box if you want to include a comment to the alerts in the group. Click Save when you’re done. If everything is correct, you will see a confirmation message.  |
|---|
Sort by | Choose how you want to sort the filtered results: Impact - This is the default option. Alerts with higher impacts will appear first on the results. Alert priority - Alerts will be sorted by their priority, from Critical to Low.
|
|---|
Showing | Select which elements you want to filter (All, Alerts, or Investigations). The default option is All. | Note |
|---|
As explained above, note that the filter options will change depending on the option you select. |
|
|---|
Click Filter. |
...
If you start defining a new filter or select another saved filter, you can click Reset filters to ❤ to apply your favorite filter.
...
