You can use external alerts to configure your search criteria and review detailed information about your alerts, endpoints, and identities.

Estimated reading time: 10 minutes

• Configure search criteria
• Change your analysis view between alerts and endpoints
• Review the Alert Timeline
  

Configure search criteria

Use search criteria to set your parameters when it comes to what alerts you are interested in reviewing. 

1. From your Red Canary dashboard, click Alerts.
2. With search criteria you can filter alerts by the following:
   
   • Alert ID
   • Status
   • Assigned To
   • End Point or Device
   • Identity
   • Process Correlation
   • Date Issued
   • Provider Classification
   • Provider Source
   • Provider Severity
   • Raw Data Contains
     

     Note: Red Canary includes six search criteria by default to display alerts which are not resolved and may require further user action. You can remove any unwanted search criteria by deselecting the search criteria’s checkbox, and then clicking Search. 

     The default criteria include:

     • Status: Analysis Complete: Threat 
     • Status: Analysis Complete: Highly Suspicious
     • Status: Analysis Complete: Suspicious
     • Status: Analysis Complete: Not a Threat
     • Status: Investigating
     • Status: New
3. Fill in your required information, and then click Search. The new search criteria you applied will appear below the search dropdown. 
   

   Note: To update the search results, click Search each time you add new criteria, otherwise your search criteria will not update.
   
   

4. Remove any unwanted search criteria by deselecting the search criteria’s checkbox, and then click Search.
   
   
5. Optionally, select Use advanced search to turn on the advanced search function. 
6. Type and search for the alert you want to filter. 
7. Once selected, click Search. The new search criteria you applied will appear below the search dropdown. Note: To update search results, click Search each time you add new criteria.
   

Change analysis view

You can view your alerts environment by clicking specific tabs for an alert or endpoint.

Alert tab

The default view for your environment is set to Alert. This view shows you all of your alerts and can be organized by category. You can also view your provider data, including the Classification and Severity that your third party source provides.

Alert Timeline

In the Alert view, you can access an in-depth view of a specific alert. 

1. Click an alert to display the Alert Timeline.
   
   
2. In the Alert Timeline, you can review:
   • The alert summary and severity
   • The native identifier
   • JSON data
   • Analysis context
   • Correlation information
   • Details about the investigation
   • The endpoint, user, and other system activities that are correlated to the alert
     
3. When you are finished reviewing the alert, you can review the next alert underneath or close out the Alert Timeline tab to go back to the original alert view.

Provider Details

The Provider section in the Alerts tab details the classification, severity, and source of an alert from your third party security product.

• Classification—The classification of the alert as designated by the provider.
  
  
• Severity—The severity assigned to an alert by the provider.
  
  
• Source—The provider source of the alert. Click on a source to go to the Alert Sources landing page. Here you can make changes to the alert source.

Endpoint tab

The Endpoints tab displays the number of alerts within your search criteria broken down by associated endpoints.

Category Highlights

• Endpoints—Click on an endpoint and you will be taken to the Endpoints landing page. Here you can review the details of an endpoint.
  
• Alerts—Click this number to go back to the Alerts view and add search criteria for this endpoint. From here you can review every alert associated with that endpoint and review the Alert Timeline.
  
• Status—Click any of these numbers to go back to the Alerts view and add search criteria for this endpoint with a specific status (New, Investigating, Analysis Complete, Resolved). From here you can review every alert associated with that endpoint and status and review the Alert Timeline.