Document toolboxDocument toolbox

Change triggered alerts' status

What permissions do I need?

To access the Alerts overview area and change the alert status, you need at least the Triggered alerts (view) and the Update status / priority permissions (see a detailed description of the alerts permissions here).

Additionally, you need to have alerts assigned with Manage access (see Assign resources to a role), which will be those you will see on the list.

About triggered alert status

The Status column indicates to what extent a triggered alert has been acknowledged. There are four possible values, each being assigned a numerical value that will be displayed in auditing tables:

  • Unread (0): the alert details have not been viewed yet by any user in the domain.

  • Watched (100): the alert's details have been viewed by any user in the domain.

  • False positive (2): the alert has been reviewed and deemed irrelevant for the purpose of the analysis.

  • Closed (300): the alert does not need to be monitored anymore.

  • Suppressed (800): the alert has been deemed unnecessary for further action (most of the time via post-filter). Suppression can be useful to reduce the noise in cases where recurring alerts are acknowledged but do not require immediate attention. Suppressed alerts are not actively monitored, but they remain in the system for auditing purposes and can be reinstated or reviewed if needed.

Changing status from the alert list

Changing status of a single alert

You can change the status of an alert by double-clicking it on the list and select the desired option. Expanding the alert details will automatically mark it as watched (see details section above).

10_Change triggered alerts' status.png

Changing status in bulk

You can change the status of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Change status followed by the desired status.

20_Change triggered alerts' status.png

Changing status from the alert details window

You can also change the status of a triggered alert from the details window, which is accesible by clicking an alert’s ID on the list (more info about the details window here). Simply click the status drop-down and select the desired option.

 

Related articles