Alert Inbox


Overview

Overview

The Alert Inbox is home to all alerts generated by DefenseStorm GRID through triggers, PatternScout, or ThreatMatch.  We provide different alert states to help organize and keep your inbox clean. Each alert links to the log data for contributing events by clicking on either Alert Name or Count. Please note that this takes you away from the Alert Inbox and to a filtered view of the Events page.  

Handling an Alert 

Once an alert is fired, it shows up as New in the Alert Inbox.  During alert investigation,  click the ✓ from the top of the Alert to send it to the Acknowledged folder. This signifies that the alert is no longer new, but has not been handled or completed.  Once the investigation has completed,  set the Alert to a Handled State:

  • Escalated generates an incident ticket, which takes over as the final destination for that alert. (Even though it creates an incident, it can still be marked as False Positive if that is the end result.)
  • Dismissed is the middle ground, where it's not an incident, but also not a false positive.
  • False Positive means the trigger that generated the alert shouldn't have fired. Maybe the query needs to be tuned, or the thresholds, or maybe anomaly detection found a deviation that wasn't malicious.
  • True Positive is selected when an alert is without a doubt malicious or unauthorized. The metrics from this option are great for charts and reporting to see exactly what DefenseStorm catches and possible trends. 

Flowchart

Alert Process Flowchart

Shows how an alert fires from a query, is placed in the Alert Inbox, and then you handle it from there through investigation and acknowledgment.