Alert Management

Introduction

This document explains the Threat Management module. The Threat Management module groups all alerts that are generated by the correlation engine. For more information about Correlation engines, refer to <link>.

Alerts

Alerts section under the Threat Management module groups all the alerts detected by the multiple systems and correlation rules that are used by the application.

To open the Alerts window, follow the steps below:

  1. On the UTMSTACK home page, click Threat Management.

A drop-down list opens.

  1. Select Alerts.

The Alerts window opens, as shown below.

1.png

Figure 1: Manage Alert Window

Understanding Alerts Module

Alerts is an interactive module where you can manage alerts by using various filters, rules, tags, and many more features. To better understand the Alerts module, refer to Figure 1. The figure is highlighted with different colors and numbers.

Filters Pane

The Filters pane is present on the left-hand side of the Alerts window. In Figure 1, it has been highlighted in red and numbered as 1.

Filters pane has various ways to filter the alerts that are shown on the Alerts window. It helps in searching specific alerts that you need to see or investigate further. Figure 2 shows the Filters pane.

Untitled.png

Figure 2: Filters Pane

Adding or Removing Filters in the Filters Section

In the Filters pane, you can filter the alerts by Rule, Severity, Category, Sensor, or Tags. These are default filters that are shown in the Filters pane. You can add more filters to display in the Filters pane.

To add or remove filters in the Filters pane, follow the steps below:

  1. Click the config.pngicon located on the top right-hand side of the Filters

Manage filters floating window opens, as shown in Figure 3.

3.png

Figure 3: Manage filters Window

  1. Select the desired filter in the list of Inactive filters.

The filter name is highlighted.

  1. Click the icon to add the selected filter in the Visible filters

The filter adds to the list of Visible filters list and displays in the Filters pane.

  1. (Optional) In the Visible filters section, you can change the order of filters by dragging and dropping them.

These filters are visible in the same order in the Filters pane.

Using Various Filters in the Filters Section

You can filter alerts by Rule, Severity, Category, Sensor, or Tags. Also, you can add more filters to use, as explained in the above section.

For any filter, you can either scroll and look for the desired alert OR type in a query in the Search in values field to search for a specific alert, as shown in Figure 4.

4.png

Figure 4: Filters and Search fields

Time Filters

Time filters help to display alerts for a specific time range. Alerts module has many time filters to select from, including a custom time range filter. For example, if you want to see alerts that have been generated in the last 30 days, 7 days, 24 hours, or 1 hour.

To use the time filters, follow the steps below:

  1. Click date.png icon located at the top of the alerts table.

A drop-down list opens.

5.png

Figure 5: Time filters

  1. You can choose from the following options of time filters:
  • Last: It has a drop-down list to choose filters from:

5-1.png

  • Commonly used: It lists the commonly used time filters.
  • Custom range: It lets you select the time range in the yyyy-mm-dd, Hours:Minutes: Seconds It has Time from and Time to fields to create the custom range:

5-2.png

  1. The table displays the alerts for the selected time filter.

Adding or Removing Columns in the Alerts table

The default columns in the Alerts table are Rule, Severity, Status, Time, Sensor, Source IP, Destination IP, as shown in Figure 6.

6.png

Figure 6: Alerts table

However, you can add or remove columns in the Alerts table to only show details that you want to see.

To add or remove columns in the Alerts table, follow the steps below:

  1. Click the icon located on the top left-hand side of the Alerts table.

Manage columns floating window opens, as shown in Figure 7.

7.png

Figure 7: Manage columns window

  1. Select the desired columns in the list of Inactive columns.

The column name is highlighted.

  1. Click icon to add the selected column in the Visible columns

The column adds to the list of Visible columns list and displays in the Alerts table.

  1. (Optional) In the Visible columns section, you can change the order of columns by dragging and dropping them.

These columns are visible in the same order in the Alerts table.

Various Status filters

You can also filter alerts based on various statuses. The following are the different alert status:

8.png

Figure 8: Status filter

Status

Description

All

When selected, lists all alerts

Open

Lists all Open alerts. Open alerts are not

In review

Lists all alerts that are In review

Ignored

Lists alerts that are ignored. You can mark an alert as Ignored if you do not want to receive that type of alert or if it is deemed unimportant.

Completed

Lists all Completed alerts.

Converting an Open Alert into an Ignored Alert

To create an Open alert into an Ignored alert, follow the steps below:

  1. For any Open alert, click the Open

A pop-up list opens, as shown below.

9.png

Figure 9: Ignored alert

  1. Click Ignore.

The Ignore alert pop-up window opens.

10.png

Figure 10: Ignore alert window

  1. Click Apply status.

The alert is converted into Ignored and starts showing in the Ignored category.

Reporting and Compliance Functions

These functions help you manage reports and compliance, as explained below.

11.png

Figure 11: Functions

Function

Description

Save report

Click Save the report to export the alerts reports to *.csv format. When you click Save report, the Save report dialog box opens where you can set a time filter and Limit the number of alerts in the export report.

Manage tags

To manage tags. You can create, edit, or assign multiple tags.

View rules

Manage the rules that have been created in the correlation engine for the Ignored alerts. For example, if you wish to remove any rule for the ignored alerts because you think now they need attention or you had mistakenly ignored them, you can do in View rules.

View documentation

Documentation is nothing but the information that would show to the user for every alert. This information matches with the Summary and Next steps sections that you view when you open an alert, as shown in Figure 12.

Opening and Investigating an Alert

To open and read an alert for further investigation, follow the steps below:

  1. Click the Threat Management tab and select Alerts.

The alerts table opens as shown in Figure 1.

  1. Click on any alert that you want to investigate.

A new windowpane opens on the right-hand side, as shown in Figure 8.

12.png

Figure 12: Log window

  1. The new log windowpane has the following information fields:

Field name

Description

Summary

It tells the nature of the alert. For example, ‘potentially malicious activity or ‘highly important event’, and so on.

Next Steps

It explains the steps to be followed to investigate/resolve this issue.

Detail

Rule

 

ID

Show the number of logs for an alert. When clicked, it redirects to the Log Explorer window to show all the logs for an alert. For more information on Log Explorer, refer to Log Explorer documentation.

Status

Shows the status of the alert. An alert can be in Open, In review, Ignored, or Completed status.

Severity

Shows the severity of the alert. There are Low, Medium, and High levels of severity.

Comment

Comments are for tracking purposes. You can leave a comment for others for tracking or compliance purposes.

Tags

Tags allow you to automatically assign various tags to the alert. For example, you can assign any alert as a “False Positive” tag. This helps to ignore or pay attention to alerts.

Category

Category of the alert

Sensor

Show you which sensor in the network detected the attack.

Protocol

Type of protocol

Date

Date when the alert was generated

Generated by

Shows you from where exactly the alert was generated in the correlation engine.

Last Change

The description in the last change matches the last change mentioned in the View changes history field.

source detail & destination detail

Hostname

Source and destination Hostnames

IP

Source and destination IPs

Port

Source and destination ports

ASN

Source and destination ASNs

Country

Source and destination countries

City

Source and destination cities

View log

Shows the log that generated the alert. If there are multiple logs, the section will show you the latest one.

View changes history

Shows you all the interactions/messages/actions that users of platforms have had while working on the alert. It helps avoid conflicts and effort duplication.

View on map

Shows the source and destination countries on the map.

Creating New Tags

You can create your tags to organize or filter alerts better.

To create a new tag, follow the steps below:

  1. Click the Add tag icon located before each alert.

The Tags pop-up window opens, as shown in Figure 9.

13.png

Figure 13: Tags window

  1. In the Tags window, click + New tag.

The Add new tag dialog box opens, as shown below.

14.png

Figure 14: Add new tag dialog box

  1. Type in a new tag name in the Tag field and click Save.

A new tag is generated.

Adding Note or Comment to an Alert

You can add notes or comments to an alert for tracking or compliance purposes.

To add a note or comment, follow the steps below:

  1. Click the Add note icon 15icon.pnglocated before each alert.

The Comment pop-up window opens, as shown below.

15.png

Figure 15: Comment window

  1. In the Comment window, type in the note/comment.
  2. Click Apply comment to publish the comment.

The new note/comment appears in the Last change field.

Filtering Fields in Alerts Table

You can filter the various fields shown on the alerts table by using the Row to filter function.

To filter the fields in the alerts table, follow the steps below:

  1. Click the Row to filter icon located before each alert.

The Row to filters window opens, as shown below.

J6M16.png

Figure 16: Row to filters window

  1. Select or de-select the fields to filter the fields on the alerts table.
  2. Click Apply filters to apply the changes.

The alerts table updates and shows the selected fields only.

Converting an Alert into an Incident

If you identify any alert to be a potential incident, you can convert it into an incident.

To convert an alert into an incident, follow the steps below:

  1. Click the Add to incident icon 17icon.pnglocated before each alert.

The Add incident pop-up window opens, as shown below.

17.png

Figure 17: Add incident window

  1. In the Add incident window, type in the note to mention the reason to convert the alert into an incident.
  2. Click Apply incident to convert the alert into an incident.

Notes:

  • As soon as the incident is created, the stakeholders are notified by an automated e-mail notification about it.
  • Once an alert is converted into an incident, it appears in the Incidents section instead of the Alerts table. For more information on Incidents, refer to the Incidents

Incidents

Incidents are potentially high-risk alerts that can potentially damage your system or session. Incidents need to be addressed or mitigated as soon as possible. To know how to identify and convert alerts into incidents, see Converting an Alert into an Incident.