Filter triggered alerts

[ 1 What permissions do I need? ] [ 2 About time ranges and filters ] [ 3 Setting time ranges ] [ 4 Applying filters ] [ 5 Working with presets (presaved sets of filters) ] [ 6 Searching by ID ]

What permissions do I need?

To access the Alerts overview area and filter alerts, you need at least the View level of the Triggered alerts permission (see a detailed descriptions of the alerts permissions here).

Additionally, you need to have alerts assigned with at least View access (see Assign resources to a role).

About time ranges and filters

Time ranges and filters are independent methods that can be combined to narrow down the alerts shown on the list and graphs. Time ranges are the first layer and are always active upon entering this area, while filters are optional and can be applied to further restrict the alerts for the selected time range.

Excessive number of alerts: if the combination of time range and filters returns a number of alerts that exceeds 100,000 alerts, the page will not show the results and will prompt you to modify them to obtain a manageable set.

Working in multiple sessions: time range and filters are reflected in the URL, making it possible to easily replicate them in another session by copy-pasting the URL.

Setting time ranges

When setting time ranges, it is important to consider different aspects related to the type of time range specified and the method chosen to do it. You can set absolute, relative, or snap-to dates:

Absolute: a specific interval with fixed start and end dates to see data from a specific time period.
Relative: a period of time relative to the current date (last 5 minutes, last day, etc.) to see data progression up to the present.
Snap to: a period of time that goes back to the starting point of the selected time frame to see data without unrepresentative data samples resulting from analyzing incomplete periods.
For example, if it is 10:53:17 on a Tuesday:

Snap to the day: you will see data beginning at 00:00 on that same Tuesday.
Snap to the hour: you will see data beginning at 10:00.
Snap to the minute: you will see data beginning at 10:53:00.

Using the interface

You can set a time interval as described in the picture below.

Using time expressions

You can also introduce time ranges manually using date language expressions, which gives you more flexibility and precision when searching your data.

Simply click on the date field and write the desired time expression or modify the existing one using the operators below (you can combine them as you see fit).

Operator	Description	Example

Operator	Description	Example
yyyy-MM-dd hh:mm:ss	Establishes the specified absolute date	2021-06-30 15:35:23
Snap to (@) or \|<	Rounds the date to the beginning of a time unit. Note that this operator only works with 1m, 1d, 1h, 1w, 1W, 1M and 1y.	now() @ 1m or now() \|< 1m
Arithmetics (+/-)	Applies an offset to the date (date + offset or date - offset)	now() - 3h
Replace (^)	Replaces part of the date by a time unit (date ^ time_unit)	now() ^ 6d
Backward & forward (>>/<<)	Shifts the date to the next/past time unit (date >> time_unit or date << time_unit)	now() << 11M

Let's suppose the current time (which we refer to as "now()") is Sunday, 05 February 2017, 13:37:05. The table below shows the resulting time when different expressions are applied. Note that this isn't an exhaustive list:

Time expression	Description	Resulting time

Time expression	Description	Resulting time
now() - 60m	60 minutes ago	Sunday, 05 February 2017, 12:37:05
now() @ 1h	Now (rounded to the beginning of the hour)	Sunday, 05 February 2017, 13:00:00
now() - 24h	24 hours ago	Saturday, 04 February 2017, 13:37:05
(now() - 1d) @ 1d	Yesterday (rounded to the beginning of the day)	Saturday, 04 February 2017, 00:00:00
(now() - 2d) @ 1d	2 days ago (rounded to the beginning of the day)	Friday, 03 February 2017, 00:00:00
(now() - 2d) @ 1m	2 days ago (rounded to the beginning of the minute)	Friday, 03 February 2017, 13:37:00
((now() - 2d) @ 1d) - 2h	2 days ago (rounded to the beginning of the day minus 2 hours)	Thursday, 02 February 2017, 22:00:00
now() @ 1w	Locale week	Sunday, 05 February 2017, 00:00:00
now() @ 1W	ISO week	Monday, 30 January 2017, 00:00:00
now() ^ 6d	Replace the day with 6	Monday, 06 February 2017, 13:37:05
now() ^ 2018y3M6d15h30m20s	Replaces the year with 2018 Replaces the month with 3 Replaces the day with 6 Replaces the hour with 15 Replaces the minutes with 30 Replaces the seconds with 20	Tuesday, 06 March 2018, 15:30:20
now() >> 2M	Forward to next second month	Monday, 05 February 2018, 13:37:05
now() << 2M	Backward to previous second month	Friday, 05 February 2016, 13:37:05
now() >> 2M6d15h20m10s	Forward to next second month, sixth day, fifteenth hour, twentieth minute and 10 seconds	Tuesday, 06 February 2018, 15:20:10
now() << 1h/1d	Goes back to the first hour of the current day. Minutes and seconds don't change.	Sunday, 05 February 2017, 01:37:05

Applying filters

You can use a variety of options to filter triggered alerts and all of them will be applied to the whole Alerts Overview both the Chart representation area at the top and the Triggered alerts area at the bottom:

Click Advanced filter at the top and a menu opens below.
Select a value in the field you want to use as filtering criteria.
- Most of the fields admit several options. This will find alerts that match one or the other.
- Several fields can be used at the same time. This will find alerts that match all of them.
- All fields admit typing to narrow down the available values for selection.
- Fields such as Name or Subcategory provide an option to select all values.
- To remove a value, simply click the X next to it. To remove all values within a field, click the X located on the right side of the field.
Click Apply when you finish choosing the filtering criteria. All the filters applied appear below the button, and the alerts will be filtered accordingly.
- To reset all filters, click Clear all.
- To reset filters per field, click the X next to each of them.
- To reset filters per value, you need to edit the filtering by reopening the menu, removing the desired values as explained above, and clicking Apply.

Filter by Extradata

Only with decoded Extradata

The search is conducted on the decoded version of the Extradata, not the raw version. Keep this in mind when inputting the value(s) as this might alter the expected result.

You have two different options when using this filter, each of them designed for different contexts. The Simple option is best used for swift and extensive searches, whereas the Advanced provides more precision and control over the filtering criteria, allowing for more thorough searches.

Simple: this mode allows you to enter a value to verify if it’s present anywhere within any Extradata, retrieving alerts that contains such a value (case insensitive). It is a basic yet powerful filter, as it allows you to operate without a profound knowledge on the Extradata. However, it has the limitation that only one value can be used at a time. If you want to use several values, you can use the advanced mode.

Advanced: this mode allows you to enter several values (up to 10) and the keys where these values will be searched, as well as establish different operators for the value search or decide if they will be combined or considered individually.

Only with first-level keys

The advanced mode of this filter is limited to first-level keys. This means that it will not work when using deeper keys contained in complex keys (those with additional depth levels).

In the Extradata below, the “alertType” key is complex and contains an additional level below with two more keys – “id” and “type”. Using the deeper-level keys will not retrieve this alert, even if the searched value is present.
This means that using the key-value pair “type-Detection” will not retrieve this alert as a successful match. For a successful retrieval, the key-value pair “alertType-Detection” should be used instead.

{ "alertMitreTechniques": "Brute+Force",
  "alertType": { "id": "12", "type": "Detection"},
  "alertMitreTactics": "Credential+Access",
  "count": "12" }

Add filter condition: click this button to open a menu where you can specify what, where, and how to look for.
- Key: the field of the Extradata where you want to search for matches. Simply write the name of the desired field (in the example above, a valid field could be count).
- Operator: how the specified value will be considered when searching for matches. Simply click the dropdown and select one of the options.
  - Contains (->>) → case insensitive: the chosen key will be examined to verify the presence of the specified value, retrieving the alert when it is. For example, using "count contains 1” would successfully retrieve the alert in the example above because 1 is present within 12.
  - Not contains (not(->>)) → case insensitive: the chosen key will be examined to verify the presence of the specified value, retrieving the alert when it isn’t. For example, using "count not contains 1” would not retrieve the alert in the example above because 1 is present within 12.
  - Equals (=) → case sensitive: the chosen key will be examined to verify if it coincides with the specified value, retrieving the alert when it does. For example, using "count equals 1” would not retrieve the alert in the example above because 1 is different from 12.
  - Not equals (!=) → case sensitive: the chosen key will be examined to verify if it coincides with the specified value, retrieving the alert when it doesn’t. For example, using "count not equals 1” would retrieve the alert in the example above because 1 is different from 12.
- Value: the value you want to use to search for matches. Simply write the desired value.
AND vs OR: when you specify several filter conditions, this dropdown is enabled, allowing you to decide how to combine them.
- AND: choosing this option will combine the conditions, retrieving alerts only when both of the conditions are met. For example, using “count equals 12” AND “alertMitreTactics contains Initial“ would not retrieve the alert in the example above because only the count condition is met.
- OR: choosing this option will consider the conditions individually, retrieving alerts when any of the conditions are met. For example, using “count equals 12” OR “alertMitreTactics contains Initial“ would retrieve the alert in the example above because the count condition is met.

Filter by domain (only in Multitenant structures)

In multitenant structures, there is an additional column in the triggered alerts page to indicate the domain an alert belongs to. To help you work with this capability, there’s a specific filter to find alerts based on the domain they belong to.

You can find this filter inside the Advanced filters menu. Click the Domain dropdown and select the domains you want to see alerts for. This dropdown shows all domains inside the current structure.

It works as any other filter, so it follows the same rules:

Several options can be selected (OR basis – finds alerts in either of the selected domains).
It can be combined with the other filters (AND basis – finds alerts matching all filtering criteria).
It is posible to write inside the field to search for a specific domain name (helpful with big structures).
To remove an item, simply click the X next to each of them. To remove them all, click the X located on the right side of the field.
There’s an option to select all of them at the top of the dropdown.

Working with presets (presaved sets of filters)

You can save the applied filters and time ranges as presets for later use. Activating a preset replicates the filters and time range to quickly show the related alerts without going through the filtering process again. This is especially useful when you need to work with similar datasets on a regular basis.

User specific

This feature works on a per-user basis, which means that the presets you define are only visible to you.

Creating a preset

After applying the desired filters and time range, click the floppy disk button at the top right. Give it a name and description, and mark the default checkbox if you want it to be automatically applied when accessing the triggered alerts area. Click Apply when you finish.

Using a preset

To use an existing preset, simply click on the preset dropdown at the top right and select one. If there are no triggered alerts with the selected preset, you can use the refresh button on the right to reset the page to its original state without any filter applied.

Managing presets

Edit name and description: click on the preset dropdown and then on the pencil button of the present in question. Click Apply when you finish.
Set as default: click on the preset dropdown and then on the bookmark icon of the preset in question. The default preset will be automatically applied when accessing the area.
Only one can be set as default, so setting a different one as default will unmark the previous one.
Using the option on the default preset will unmark it, rendering the area without a default preset.
Delete: click on the preset dropdown and then on the trashcan button of the present in question.
Update preset conditions: with a preset already active, change the filters or time range, click the floppy disk button at the top right and select Save changes to current preset. You can also create a different one with the Save as new preset option.

Searching by ID

Every triggered alert is assigned a unique ID at the time it’s generated, which can be used to find it. Simply click the Search alert by ID button above the new alerts counter, at the top right of the screen.

Inserting an ID automatically triggers a validity check, and upon confirmation of its validity, you can proceed by clicking the Search button to open its details window.

Related articles: