Managing detection alerts

edit

The Detections page displays all detection alerts. From the Alerts table, you can change an alert’s status, and start investigating and analyzing alerts in Timeline.

From Timeline, you can create cases to track issues and share information with colleagues.

To view detection alerts created by a specific rule, you can:

  • Filter for a specific rule in the KQL bar (for example, signal.rule.name :"SSH (Secure Shell) from the Internet").
  • View detection alerts in the Rule details page (click Manage detection rules → rule name in the All rules table).

KQL autocomplete for .siem-signals-* indices is available on the Detections and Rule details pages, and in Timeline when either All or Detection alerts is selected.

Use the icons in the upper left corner of the Alerts table to customize displayed columns and row renderers, and view the table in full screen mode.

Change alert statuses

edit

You can set an alert’s status to indicate whether it needs to be investigated (Open), is under active investigation (In progress), or resolved (Closed). By default, the Alerts table displays open alerts. To view alerts with other statuses, click In progress or Closed.

To change alert statuses, either:

  • In the alert’s row, click the more options icon, and then select the required status (Mark in progress, Close alert, or Open alert).
  • In the Alerts table, select all the alerts you want to change, and then select Take actionClose selected, Open selected, or Mark in progress.

Send alerts to Timeline

edit

To view an alert in Timeline, click the Investigate in timeline icon.

When you send an alert generated by a threshold rule to Timeline, all matching events are listed in the Timeline, even ones that did not reach the threshold value. For example, if you have an alert generated by a threshold rule that detects 10 failed login attempts, when you send that alert to Timeline all failed login attempts detected by the rule are listed.

If the rule that generated the alert uses a Timeline template, when you investigate the alert in Timeline, the dropzone query values defined in the template are replaced with their corresponding alert values.

Example

This Timeline template uses the host.name: "{host.name}" dropzone filter in the rule. When alerts generated by the rule are investigated in Timeline, the {host.name} value is replaced with the alert’s host.name value. If the alerts’s host.name value is Windows-ArsenalFC, the Timeline dropzone query is host.name: "Windows-ArsenalFC".

See Investigating events in Timeline for information on creating Timelines and Timeline templates. For information on how to add Timeline templates to rules, see Creating detection rules.

Add rule exceptions

edit

You can add exceptions to the rule that generated the alert directly from the Alerts table. Exceptions prevent a rule from generating alerts even when its criteria are met.

To add an exception, click the actions icon (three dots) and then select Add exception.

For information about exceptions and how to use them, see Rule exceptions and value lists.

Visually analyze process relationships

edit

For process events received from the Elastic Endpoint agent, you can open a visual mapping of the relationships and hierarchy connecting related processes. For more information see, Visual event analyzer.