What permissions do I need?
These are the minimum permissions required to performed the actions described in this article (visit Working with triggered alerts for a detailed description).
Triggered alerts (View) → needed to see alert details and explore alert queries.
Read/unread alert → needed to change alert status and priority.
Triggered alerts (Manage) → needed to delete triggered alerts but it also enables all the above.
Alert configuration (Manage) → needed to edit and clone alert definitions.
Additionally, you need to have alerts assigned with View access to see alert details or query and Manage access for the rest of the actions (see Assign resources to a role).
See alert details
You can see the Summary and Description of a triggered alert by clicking the expandable arrow next the alert name. Expanding the alert details will automatically mark it as watched (see status section below).
If any of the fields cannot be seen completely, you can click on it to show a floating window with the full info.
Change status
The Status column indicates to what extent a triggered alert has been acknowledged. There are four possible values:
Unread: the alert details have not been viewed yet by any user in the domain.
Watched: the alert's details have been viewed by any user in the domain.
False positive: the alert has been reviewed and deemed irrelevant for the purpose of the analysis.
Closed: the alert does not need to be monitored anymore. You can indicate in your user preferences if you want closed alerts to appear in the Alerts overview.
Change status of a single alert
You can change the status of an alert by clicking it on the list and select the desired option. Expanding the alert details will automatically mark it as watched (see details section above).
Change status in bulk
You can change the status of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Change status followed by the desired status.
Change priority
The Priority column indicates the priority level assigned to the alert definition when created.
Change priority of a single alert
You can change the alert priority by clicking on the cell and selecting the desired level. You can also change the priority level by editing the alert definition (see edit section below).
Change priority in bulk
You can change the priority of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Change priority followed by the desired priority level.
Explore alert query
You can go the search window to see the query defined for that triggered alert and examine the events that caused it to trigger. Click the ellipsis menu at the end of the row and select Go to query.
You will be taken to the search window, and you will see the alert query with the time range for the events that triggered the alert. You will access the search window in incognito mode, which means any changes in the query will not be saved.
Edit and clone alert definition
You can modify the alert definition of a triggered alert to change some its settings, or clone it if you want yo keep the original. Simply click the ellipsis menu at the end of the row and select Edit definition or Clone definition.
A new window opens with the settings of the alert definition. The fields you can modify and the implications depend on the action being performed (click here if you are editing or here if you are cloning).
Delete triggered alert
You can completely remove a triggered alert from the list when you no longer want to keep record of it, or you can also delete several alerts at the same time.
Delete a single alert
To remove a single alert entry from the record, simply click the ellipsis menu at the end of the row and select Delete.
Delete alerts in bulk
Check the boxes next to the names, click the Bulk actions button next to the master checkbox, and select Delete.
Related articles: