Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Overview

The Triage area of the Security Operations application is where analysts can filter and pivot by alert type, name, entities, or keywords. The available filters in this area allow analysts to determine the way they want to triage both alerts and investigations.

As said before, SecOps is mainly based on alerts. Alerts mark the very first actions to do when users enter the application. Once one or more suspicious alerts are detected, or even a potentially dangerous one, the next step is to analyze the content of the threat and the related entities and open an investigation to track every action taken by the user and share the content with the rest of users in the app.

Click this icon  in the top navigation bar to access the Triage area.

How to apply a filter?

You can filter both alerts and investigations by clicking key elements in the Overview Dashboard widgets, or access the Triage section directly and define the required criteria you want to filter by.

Filter by elements in the Overview Dashboard

Some of the widgets in the Overview Dashboard are interactive and allow you to click key elements and add them to a new filter. Simply click the Overview Dashboard element you want to filter by. In the example below, we click the Critical button in the Most Critical & Not Triaged Alerts widget. We will be prompted to choose if we want to access the Triage area and see the created filter (clicking Triage), or simply create the filter but stay in the Overview Dashboard (clicking Add filter).

Create a filter in the Triage area

As said above, you can access the Triage area by clicking the icon marked in the capture below in the top bar of the application and define the required filters using the available criteria.

  1. After accessing the Triage area, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range. 

    After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.

  2. Then, set the conditions you want to filter by. These are the available options:

    Keywords

    Enter one or several words to filter alerts/investigations that contain them in their name, details, etc.

    Alert priority

    Choose the alert priority you want to filter by (All, Unknown, Critical, High, Medium, Low, or Info).

    This option won't appear if you select Investigations in the Showing option next to the Filter button. Learn more about this below.

    Alert type

    Choose the alert type you want to filter by (All, Model, Analytics, Observation, or Detection).

    This option won't appear if you select Investigations in the Showing option next to the Filter button. Learn more about this below.

    Assigned to 

    Select the user who was assigned the investigation.

    This option won't appear if you select Alerts in the Showing option next to the Filter button. Learn more about this below.

    Entity / Filter value

    Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs.

  3. You can also select the Advanced Filters button to filter by the following criteria:

    Alert ID

    Enter an alert ID if you want to filter only a specific alert. You can get the ID of a SecOps alert by hovering over the name of an alert in the Description column.

    Alert status

    Choose the alert status you want to filter by (All, Unread, Updated, False positive, New, Watched, Closed, Reminder, Recovery, or Anti-flood).

    City

    Write the name of the cities you want to filter by. When you write a city name, it will appear in the dropdown if it is available. This parameter only applies to alerts.

    Country

    Select the country or countries you want to filter by from the available ones. This parameter only applies to alerts.

    ATT&CK Tactic

    Filter by one or several ATT&CK Tactics.

    ATT&CK Technique

    Filter by one or several ATT&CK Techniques.

    Impact

    Switch on this option if you want to filter elements by their impact. Indicate the required range using the sliders or enter the required values in the fields at the right of the area. Besides, you must indicate the required formula to be applied (equals to, greater than...)

    There won't be any advanced filter if you select Investigations in the Showing option next to the Filter button.

  4. Then, decide the way you want to see the results after filtering. To do it, use the options next to the Filter button.

    Group by

    Choose how you want to group the filtered results:

    • Entity - This is the default option. Alerts with the same entities will be grouped in a box, regardless of the type of alert. The entities will be indicated at the top of each box.
    • Alert type - In this case, alerts will be grouped by type. Each group will display the name or definition of the alert and their MITRE tactics and techniques. Click a group to see all the occurrences of the alert over time.

    Sort by

    Choose how you want to sort the filtered results:

    • Impact - This is the default option. Alerts with higher impacts will appear first on the results.
    • Alert priority - Alerts will be sorted by their priority, from Critical to Low.

    Showing

    Select which elements you want to filter (All, Alerts, or Investigations). The default option is All.

    As explained above, note that the filter options will change depending on the option you select.

  5. Click Filter.

Triage results

After applying the filter, the alerts/investigations that match the specified criteria will be listed below. Filtered alerts and investigations appear in a table. If you chose to get both alerts and investigations, alerts will appear first, and investigations will appear below them. Learn more about the results you get when filtering alerts and investigations in Triaging alerts and Triaging investigations.

Manage filters

You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.

Default filter

If you access the Triage area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours. 

Save a filter

Select the required criteria and click the save icon . Enter a name for the filter in the window that appears and click OK to save it. Click this icon  to access your saved filters.

Mark a filter as favorite

Click this icon  and select the heart next to the filter you want to mark as the favorite. Note that you can only mark one filter as favorite.

If you start defining a new filter or select another saved filter, you can click Reset filters to  to apply your favorite filter.

Delete a filter

Click this icon  and select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.

  • No labels