This playbook provides detailed instructions on best practices for properly utilizing the Alert Inbox. Whether you are a TRAC customer or not, knowing our recommended best practices benefits your network security. For other information about the Alert Inbox, see Using Alerts.
TRAC Customer Alert Inbox Best Practices
If you are a TRAC customer, you may be curious about how TRAC uses your Alert Inbox, and what you could be doing in combination. This section describes how you can work alongside the TRAC team to provide the best network security.
What does TRAC do with my Alert Inbox?
The TRAC Team routinely sorts your Alerts and begins investigating through the associated events for the cause. Once they have worked through an alert, they categorize it:
- Escalated - Additional investigation is needed and may require network changes.
- Dismissed - An alert that has been reviewed and does not need further investigation or assistance.
- False Positive - Should not have fired.
How can I help TRAC?
- Notify them of network changes, patching, or other system changes including the editing of triggers.
- Escalating Alerts lets us know you need assistance.
- If you think an Alert should be categorized as False Positive or Dismissed, instead of categorizing it, send TRAC an email letting them know. This prevents any interference with anomaly detection and incorrect categorization.
Non-TRAC Alert Inbox Best Practices
If you are not a TRAC Team customer, there are many things you can do to help keep your network secure with your Alert Inbox. The plays in this section describe how you and your internal security team can provide the best network security.
The more often the plays in this playbook are implemented, the easier your daily workload is.
Step 1: Open Alert Inbox and Sort Alerts
Routinely sort your Alerts in the manner that best suits your time constraints. For example, if you have time constraints, we recommend sorting your alerts by the highest severity so you analyze the highest priority alerts first.
However, if you have dedicated time to complete all or most alerts each day, we recommend sorting from oldest to newest to provide the best overall picture of recent network activity.
Step 2: View Events Within Alerts
Once alerts have been sorted, select Count to investigate related events.
Step 3: Categorize
After investigation into each Alert, categorize it:
- Escalated - Send to your internal security team.
- Dismissed - The alert does not need additional analysis.
- False Positive - Should not have been flagged as an alert.