Triage
Overview
The Triage area of the Security Operations application is where analysts can filter and pivot by alert type, name, entities, or keywords. The available filters in this area allow analysts to determine the way they want to triage both alerts and investigations.
As said before, SecOps is mainly based on alerts. Alerts mark the very first actions to do when users enter the application. Once one or more suspicious alerts are detected, or even a potentially dangerous one, the next step is to analyze the content of the threat and the related entities and open an investigation to track every action taken by the user and share the content with the rest of the users in the app.
Click this icon in the top navigation bar to access the Triage area.
How to apply a filter?
You can filter both alerts and investigations by clicking key elements in the Dashboard widgets, or accessing the Triage section directly and defining the required criteria you want to filter by.
Filter by elements in the Overview Dashboard
Some of the widgets in the Dashboard are interactive and allow you to click key elements and add them to a new filter. Simply click the Dashboard element you want to filter by. In the example below, we click the High button in the Most Critical & Not Triaged Alerts widget. We will be prompted to choose if we want to access the Triage area and see the created filter (clicking Triage), or simply create the filter but stay in the Dashboard (clicking Add filter).
Create a filter in the Triage area
As said above, you can access the Triage area by clicking the icon marked in the capture below in the top bar of the application and defining the required filters using the available criteria.
Triage results
After applying the filter, the alerts/investigations that match the specified criteria will be listed below. Filtered alerts and investigations appear in a table. If you chose to get both alerts and investigations, alerts will appear first, and investigations will appear below them. Learn more about the results you get when filtering alerts and investigations in Triaging alerts and Triaging investigations.
Manage filters
You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.
Default filter
If you access the Triage area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours.
Save a filter
Select the required criteria and click the save icon . Enter a name for the filter in the window that appears and click OK to save it. Click this icon to access your saved filters.
Mark a filter as favorite
Click this icon and select the heart next to the filter you want to mark as the favorite. Note that you can only mark one filter as favorite.
If you start defining a new filter or select another saved filter, you can click Reset filters to ❤ to apply your favorite filter.
Delete a filter
Click this icon and select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.