Alert Inbox


Overview

Overview

The Alert Inbox is home to all alerts generated by DefenseStorm GRID through a variety of triggers; such as PatternScout or ThreatMatch.  When viewing alerts, you can view each alert individually or group them by trigger type as shown in the screenshots below.  

Individual Alert View
Trigger View

*Each alert links to the log data for contributing events by clicking on either Alert Name or Count. Please note that this takes you away from the Alert Inbox and to a filtered view of the Events page. 

Handling an Alert 

When an alert is fired it shows up as New in the Alert Inbox; to help keep your inbox clean,  you can click the ✓ from above the alert name to signify that the alert is no longer new, but remediation has not been handled or completed. Once the investigation is complete, set the alert to one of the following Handled States:

  • Escalated generates an incident ticket, which takes over as the final destination for that alert. 
  • Dismissed is the middle ground, where it's not an incident, but also not a false positive.
  • False Positive means the trigger that generated the alert shouldn't have fired. Maybe the query or threshold needs to tuning.
  • True Positive is selected when an alert is without a doubt malicious or unauthorized. These metrics are great for reporting.

Flowchart

Alert Process Flowchart

Shows how an alert fires from a query, is placed in the Alert Inbox, and then you handle it from there through investigation and acknowledgment.