Managing triggered alerts
What permissions do I need?
Once your alerts are defined, their queries will be monitored and an alert triggered when the specified conditions are met. Triggered alerts are shown in the Alerts Dashboard tab of the Alerts area, where you can monitor the history of all alerts triggered in the domain and manage the actions taken in response to them.
In order to access this area and perform all the tasks described below, you need to have a role with management permissions on Triggered alerts (Administration → Roles → Permissions tab). If you have the view version, you will be able to access this area only to view the alerts triggered (unless you have the Read/unread alert, which allows you only to mark them as read and change their priority). If you do not have this permission at all, you will not be able to access this area.
About the Alerts Dashboard
The Alerts Dashboard is your control panel to track the alerts that have been triggered over time. There are two parts:
In the Alerts Overview area, you can see a dynamic chart to visually analyze the overall quantity of alerts displayed in the Alerts History area.
The Alerts History area lists all the alerts triggered in the domain starting with the most recent one and gives you the ability to carry out workflows related to managing the conditions that trigger the alerts. All alerts generated can be also checked in the siem.logtrust.alert.info table (see more about this table in Alerts monitoring).
Alters Dashboard preferences
In the Preferences area, inside the User Preferences top tab, and the Alerts left tab, you can choose different visualization settings (visit User preferences to know more).
Filter triggered alerts
You can use a variety of options to filter triggered alerts and all of them will be applied to both the Alerts History and the Alerts Overview:
Click one of the time options above the chart to filter by time (1h, 6h, 12h, 1d, 1w, 1m, 1y).
Click one of the options above the list to filter according to the alert life cycle (Show Open or Show All).
Click a value in one of the valid columns to use that value as filtering criteria (Status, Alert name, Category - SubCategory, or Priority). To reset the filters applied, remove them individually or click Clear Filter above the list.
Visualize triggered alerts graphically
The Alerts Overview graphically displays the alerts triggered in the domain by representing them on a chart. You can change the type of chart to adapt it to your visualization needs. The available options are Line chart, Clustered Timeline chart, Calendar chart, and Voronoi chart. Like any other chart in Devo, the chart in the Alerts Overview is interactive, so you can perform a variety of actions depending on the type selected (visit Generate charts to know more).
Monitor new triggered alerts
By default, triggered alerts are listed starting with the most recent.
To draw your attention to the alerts you haven't seen yet in the history list, a New tag is displayed in the Status column for a couple of seconds when you access this area. Also, a green bar appears next to new alerts and does not disappear until you leave the Alerts Dashboard area.
Alert counters
You can always check if new alerts have been triggered in your domain by looking at the counter in the Alerts option of the navigation pane. The green bubble next to it indicates unread alerts triggered in your domain for the last 12 months.
If you hover over the Alerts icon while the navigation pane is minimized, you will see two counters. Both of them are updated every 60 seconds to show new alerts triggered in the domain.
You can also see this information inside the Alerts History area. This is what each counter means:
New alerts since last update - This is the count of unread alerts since the last time you visited the Alerts Dashboard. The count is reset every time you access this area but if new alerts arrive while you are inside, you will see a Load New button at the top of the table.
Unread alerts in the domain - This is the total count of unread alerts in your domain for the last 12 months. The count will decrease if you mark them as Watched or Closed (you can see how in the section below). Alternatively, you can reset the total count of unread alerts in your domain by clicking the Reset unread button.
Manage triggered alerts
Status summary
The Status column indicates to what extent a triggered alert has been acknowledged. There are four possible values:
Unread: the alert details have not been viewed yet by any user in the domain.
Watched: the alert's details have been viewed by any user in the domain (see how in the table below).
Updated: the condition which triggered the alert does not persist any longer. This status is generated by the Systems Monitoring application whenever a triggered alert that was created using the application is no longer relevant and thus needs no further monitoring.
Closed: a user in the domain has marked it so (see how in the table below).
Ellipsis menu
Using an alert's ellipsis menu, you can also access the following options:
View alert details | Check the details of the selected alert. Alternatively, you can click the Summary column to expand the row to display the full alert message. This action will set the status of the alert to Watched. |
---|---|
Go to query | See the events that made the alert trigger. You will be taken to the search window, and you will see the alert query with the time range where the events that triggered the alert are. You will access the search window in incognito mode, which means any changes in the query will not be saved. |
Create annotation | Use comments to track actions taken to address the alert condition. Learn more in Add a comment to a triggered alert. |
New filter / Edit filter | Create filters that automatically process alerts when they're triggered with the characteristics you set forth. Alerts with post-filters are marked with a filter icon, and the ellipsis menu will display Edit filter instead. To edit or remove these filters, you can click the icon or select the aforementioned option. Learn more in Apply a filter for post-processing. |
Edit / View | Opens the Edit alert definition window, where you can edit the Category, Description and Priority of your alerts, or modify the query that defines the alert. Learn more here. Alternatively, you can change the priority directly on the list by hovering over the Priority column value and clicking the Change button that appears. |
Clone | Open an alert definition window with the exact same settings, where you can change Name, Subcategory, Summary, and Description before confirming. |
Mark as closed | Changes the alert status to closed. This is used when it has been determined that the alert no longer requires attention or action. You can indicate in your user preferences if you want closed alerts to appear in the Alert History. |
Delete | Removes the alert completely. This is used when you do not want the keep record of an alert anymore. |
Related articles: