Document toolboxDocument toolbox

Working with triggered alerts

In this video you can see the highlights of the triggered alerts area, as well as some guidelines on how to use it.

About triggered alerts

When an alert is triggered, a notification is sent through the specified channel (delivery method). This notification contains the details of the triggered alert, as well as a link to access them in Devo, so that the recipient can analyze it and decide on a course of action (below you can see an example of alert notification sent via email).

2_Managing triggered alerts.png

Furthermore, all triggered alerts are displayed in the Overview tab of the Alerts area. To access it, simply click on the Alerts button on the Navigation pane.

This is your control panel to track the alerts that have been triggered over time. There are two parts:

  • Top area: it displays a dynamic chart to visually analyze the overall quantity of alerts displayed in the bottom area, as well as the triaging options to filter them.

  • Bottom area: it lists all the alerts triggered in the domain starting with the most recent one and gives you the ability to carry out workflows related to managing the conditions that trigger the alerts.

Data table registry of triggered alerts

All triggered alerts are registered in the siem.logtrust.alert.info table at the time of generation. Additionally, they are registered in the devo.audit.alert.triggered table, which maintains a comprehensive record of all subsequent changes they undergo during their lifecycle.

When an alert should have been triggered but was not, for whatever reason, it is registered as an error in the siem.logtrust.alert.error table.

What tasks can be performed in the Alerts overview?

These are the different tasks you can perform in this area. Click on each of them to open the dedicated article:

What permissions do I need?

As there are many different tasks to perform in this area and they imply many different contexts, the set of permissions required are consequently very granular:

  • To access this area to see triggered alerts, see their details, open their queries, and create comments, you need the View version of the Triggered alerts permission.

    • To change the priority and status of the alerts or create post-filters, you also need the child permission Update status / priority.

  • The Manage version of the Triggered alerts permission allows you to do all the above as well as deleting alerts (more info about permissions here).

  • The actions that imply interacting with the alerts definition will not show unless you have the Manage level of the Alert configuration permission (know more about alert definitions here).

  • Additionally, you need to have alerts assigned (see Assign resources to a role). You will only see triggered alerts for those alerts assigned and permitting only the interaction level specified for them. In other words, the permissions grants theoretical access to alerts while assigning a specific alert grants the actual access.

 

Â