Alert Inbox Playbook


Overview

Overview

The plays and procedures in this playbook give you insight into how the TRAC Team monitors your alerts. You can also perform these plays on any triggers created internally by your team. 

*Please leave all TRAC triggers to be monitored by TRAC to ensure complete protection. 

This playbook is designed to provide the necessary steps and optimization plays to accurately and efficiently clear your inbox. The Alert Inbox has many options for filtering, organizing, and handling the alerts; this playbook helps guide you through them all and make the right play for your organization. 

  • These are just a few ways to clear your inbox, the number of options is almost limitless!
  • The TRAC team, they perform very similar plays on your network for daily monitoring.

The Play

Plays...

  1. Sorting
    Determining how you want to sort your Alerts is the first play in the game of Alert Inbox cleaning.

  2. Investigating
    Looking into Event information within an Alert is key to handling it properly.

  3. Handling
    The final play is to put your Alert into a "bucket" for remediation to begin.




Procedure

Procedure

1. Sorting  

When deciding how to sort your Alerts, there are several options. Newest, oldest, highest, and lowest priority. Below are some use cases for each.

  • Newest - initial scan for the day
  • *Oldest - most common for daily alert clearing because they have gone the longest amount of time without being reviewed
  • Highest - on a Saturday, or right before a meeting 
  • Lowest - quick clearing
    Note: Be sure to do a quick evaluation of the Alert to ensure they are low priority before clearing.

2. Investigating

Now that the Alerts have been sorted based on your monitoring needs, its time to open the events and do some research to determine their validity, level of importance, and where they go next. 

  1.  Click the Alert count to open the events. Expand the search to 7 or 30 days.
  2. Look for spikes or flatlines
  3. Fields to aggregate on...
    1. Ip_src,  Ip_dest,  app_name,  geo dest port, geo src country, geo dest country. Look up ip_src and ip_dest using a threat analysis site such as Watchguard. 
    2. For internal IPs, search within the Events page to determine how often and how long its been seen. 
    3. Rate the IPs within the GRID.
  4.  Now it's time to Handle the Alert, proceed to the final play. 

3. Handling

Handling an Alert  based on your previous research allows for the most efficient and accurate remediation process.  For information on Alerts, see our Alert Inbox Article.

  • Escalate to Incident - send to TRAC for review
    TRAC is made the owner of  the Incident, they review it, and reach back out if further action is needed on your part. 
  • Dismiss - it is not a concern
    No further action is necessary, the Alert remediation process has been closed. 
  • False Positive - should not have fired
    No further action is necessary, the Alert remediation process has been closed.
  • True Positive - is a genuine security threat, good for reference 
    After an Alert is marked True Positive, it can still be escalated as an Incident for TRAC review, or a Task if you know exactly what needs to be done for remediation.