Alert Management

Click on the Threat Management module and select the option Alerts. 

alert-management-module.jpg

You will see the full MANAGE ALERT panel  

manager-alert-ok.jpg

1. UTMStack shows by default a table with data and options of all alerts.

1-manage-alert.jpg

  • Options Icons  
    • Selection box named Add page to selected: Allows you to select all alerts by clicking on it.  
    • Table icon: Allows to management the table columns as Inactive and Visible columns. 

column-fields.jpg

  • The followings fields form the table columns:
    • Rule: Rule name of the generated alert.   
    • Severity: Severity of the alert in low, medium, or high.  
    • Status: When an alert is generated, it comes with the Open status. However, the IT professional should select between In review or Complete status by clicking on the Open status.   

alert-status-ok.jpg

Suppose you consider the alert a possible threat to analyze. In that case, you should mark In review and report it as an incident in the Circle icon corresponding to the alert by typing (reported)

reported-incident-ok.jpg

If the alert is a false positive, you need to mark Complete and type false positive in the Observation field. Once the alert is completed, UTMStack will complete it automatically as a false positive every time that alert is generated. 

    • Time: Date and time when the alert was generated.   
    • Sensor: Display the data source that detected the event. 
    • Source IP: The address IP where the event was started.   
    • Source User: The user that originated the event.    
    • Destination IP: The address IP that is targeted at the event.   
    • Destination User: The user that is affected by the event.   
  • Each alert row includes other icon options such as: 
    • Selection box for the corresponding alert: This option is commonly used to select a set of alerts to apply them to the same tag, status, or incident. When you click on the Selection box, the options Apply tags, Apply status, Apply incident appear.

apply-tags,-status,-incident-ok.jpg

    • Filter icon: It's used to filter the data of the corresponding alert that you need to analyze. When clicking the button Apply filters, UTMStack will display all the alerts that match with selected fields. 

  filter-icon-1.jpg

    • Circle icon: It's the option used to report an alert as an incident always that you mark the alert In review. For it, you should type (reported, incident, or any appropriate description) in the field Add incident. Then, click on Apply Incident. Automatically each incident will be notified to emails you specify in the UTMStack Settings.    

incident1.jpg

    • Pencil icon: This allows you to add a note to the corresponding alert.  
    • Tag icon: By default, UTMStack gives you a false positive tag.    

If you add this tag to the corresponding alert by selecting it and clicking the button Add tag, all the incoming alerts that match this tag rule will be automatically tagged as false positive.   

tags-icon.jpg   

You can create a new tag on + New tag.    

new-tag.jpg  

By clicking Create tag rule, you can create or modify the rule of the selected tag. UTMStack takes by default all the data of the corresponding alert and applies the operator (is). It's optional to assign the fields Rule name and Description. Also, you can delete any filter.   

add-new-rule-ok.jpg

Type of Operators   

  1. is: Selects all alerts that match the specific data.   
  2. is not: Selects all alerts except those that match the specific data.   
  3. exists: Selects the alerts where the specific data exists.   
  4. does not exist: Selects the alerts where the specific data does not exist.   
  5. contain: Selects all alerts that contain the specified data.   
  6. does not contain: Selects all alerts that do not contain the specified data.   
  7. start with: Selects all alerts that start with the specified data.   
  8. does not start with: Selects all alerts that do not start with specified data.   
  9. end with: Selects all alerts that end with specified data.   
  10. does not end with: Selects all alerts that do not end with specified data.   
  • If you click on any part of the alert row: UTMStack details all the related information to the alert. Also, you can View last log, changes history, and the Source IP on the map.

alert-details.jpg

2. In this section, you can filter all the alerts according to their status (Open, In review, and Completed). By default, UTMStack displays all alerts.

status.jpg

3. In the Calendar icon, you can choose the time range that stores the alerts you want to analyze. By default, UTMStack displays the alerts during the last 7 days.

calendar-icon.jpg

4. The Filters section has various ways to filter alerts that you want to see or investigate further.

filter-section.jpg

  • Nut icon: This allows you to Manage filters as Inactive or Visible filters. By default, UTMStack has straight access to the Visible filters (Rule, Severity, Category, Sensor, and Tags).

nut-filter.jpg

  • Filter icon: It's used to Reset filters.
  • Filter by Search box: You can filter all the alerts that match a specific value by typing in the Search box that associated value with the rule, severity, category, sensor, tag, source IP, source user, destination IP, destination user, etc.

For example, let's display all the alerts with Category (Potential Malicious Activity).

filter-potential.jpg

  • Filter by Visible filters: Another way to filter alerts is doing straightly in the Visible filters. This option lets you filter down multiple alerts that simultaneously match different values. You can straightly select the value or search it.

For example, let's show all the alerts with Source IP (146.88.240.10), Severity (Medium), Category (Misc Attack), and Sensor (nids).

multiple-filters.jpg

5. Here, you have three more options:

5.jpg

  • Save report: Exports alert reports according to all applied filters in the MANAGE ALERT panel. You can Limit the number of the alert to export. The report will be saved in a *.csv format.

reporting.jpg

  • Manage tags: Another option to Create and Delete tags.
  • View rules: Manage the rules that have been created in the correlation engine for the alerts.