Alert Inbox Playbook


Overview

Overview

The plays and procedures in this playbook give you insight into how the DefenseStorm TRAC Team monitors your alerts. You can also perform these plays on any triggers created internally by your team. 

*Please leave all TRAC triggers to be handled by TRAC to ensure complete protection. 

This playbook is designed to provide the necessary steps and optimization plays to accurately and efficiently clear your inbox. The Alert Inbox has many options for filtering, organizing, and handling alerts; this playbook helps guide you through them all and make the right play for your organization. 

  • Keep in mind, these are just a few ways to clear your inbox, the number of options is almost limitless!
  • The TRAC team performs very similar plays during their daily monitoring of your network.

The Play

Plays...

  1. Sorting
    Determining how you want to sort your alerts is the first play in the game of Alert Inbox clearing.

  2. Investigating
    Looking into log data within an alert is key to handling it properly.

  3. Handling
    The final play is to put your alert into a "bucket" for remediation.

Procedure

Procedure

1. Sorting  

When deciding how to sort your alerts, there are several options. The first option is whether you want to see each individual alert, or if you want them grouped by trigger. Within your selected view, you can sort from newest, oldest, highest, and lowest priority. 

Individual Alert ViewTrigger View
Specific list of which alerts fired at what exact times. Grouped list of how many alerts fired per trigger. 


Below are some examples of when you may want to use the different sorting options:

  • Newest - initial scan for the day
  • *Oldest - most common for daily alert clearing because they have gone the longest amount of time without being reviewed
  • Highest - on a Saturday, or right before a meeting 
  • Lowest - quick clearing
    Note: Be sure to do a quick evaluation of the Alert to ensure they are low priority before clearing.

2. Investigating

Now that the alerts have been sorted based on your monitoring needs, its time to open the events and do some research to determine their validity, level of importance, and where they go next. 

  1.  Click the Alert Count to open the events. Using the calendar feature, expand the search to 7 or 30 days.
  2. Look for any anomalies, including spikes or flatlines.
  3. Most used fields for aggregation
    1. Ip_src,  Ip_dest,  app_name,  geo dest port, geo src country, geo dest country. Look up ip_src and ip_dest using a threat analysis site such as Watchguard. 
    2. For internal IPs, search within the Events page to determine how often and how long its been seen. 
    3. Rate the IPs within the GRID.
  4.  Now it's time to handle the alert, proceed to the final play. 

3. Handling

Handling an alert  based on your previous research allows for the most efficient and accurate remediation process.  For additional information on alerts, see our Alert Inbox Article.

  • Escalate to Incident - send to TRAC for review
    TRAC is made the owner of  the Incident, they review it, and reach back out if further action is needed on your part. 
  • Dismiss - it is not a concern
    No further action is necessary, the remediation process has been closed. 
  • False Positive - should not have fired
    No further action is necessary, the remediation process has been closed.
  • True Positive - is a genuine security threat
    After an alert is marked as a true positive, it can still be escalated as an incident for TRAC review, or a task if you know exactly what needs to be done for remediation.