The default view for your environment is set to Alert. This view shows you all of your alerts and can be organized by category. You can also view your provider data, including the Classification and Severity that your third party source provides.
In the Alert view you can access an in-depth view of a specific alert.
- Click an alert to display the Alert Timeline.
- In the Alert Timeline you can review:
- The alert summary and severity
- The native identifier
- JSON data
- Analysis context
- Correlation information
- Details about the investigation
- The endpoint, user, and other system activities that are correlated to the alert
- When you are finished reviewing the alert, you can review the next alert underneath or close out the Alert Timeline tab to go back to the original alert view.
The Provider section in the Alert tab details the classification, severity, and source of an alert from your third party security product.
- Classification—The classification of the alert as designated by the provider.
- Severity—The severity assigned to an alert by the provider.
- Source—The provider source of the alert. Click on a source to go to the Alert Sources landing page. Here you can make changes to the alert source.
The Endpoint tab displays the number of alerts within your search criteria broken down by associated endpoints.
- Endpoints—Click on an endpoint and you will be taken to the Endpoints landing page. Here you can review the details of an endpoint.
- Alerts—Click this number to go back to the Alerts view and add search criteria for this endpoint. From here you can review every alert associated with that endpoint and review the Alert Timeline.
- Status—Click any of these numbers to go back to the Alerts view and add search criteria for this endpoint with a specific status (New, Investigating, Analysis Complete, Resolved). From here you can review every alert associated with that endpoint and status and review the Alert Timeline.