📖
📖
📖
📖
UTMStack Documentation
Search
⌃K
🔷

Alert Management

UTMStack's Threat Management module provides a MANAGE ALERT panel that displays a table with all alerts and their corresponding data. The table includes fields like Rule, Severity, Status, Time, Sensor, Source IP, Source User, Destination IP, and Destination User. It offers various icons for managing the alerts, such as the Selection box, Table icon, Filter icon, Circle icon, Pencil icon, and Tag icon. You can filter the signals by status, date range, and various criteria and create custom tags and rules for automated tagging and filtering. The module also allows you to report alerts as incidents, add notes to them, and view their details and history.
Click on the Threat Management module and select the option Alerts.
You will see the full MANAGE ALERT panel.
1. UTMStack shows, by default, a table with data and options for all alerts.
  • Options Icons
    • Selection box named Add page to selected: Allows you to choose all alerts by clicking on it.
    • Table icon: Allows to management of the table columns as Inactive and Visible columns.
  • The followings fields form the table columns:
    • Rule: Rule name of the generated alert.
    • Severity: Severity of the attention is low, medium, or high.
    • Status: When an alert is generated, it comes with an Open class. However, the IT professional should select between In Review or Complete status by clicking the Openstatus.
Could you please consider the alert a possible threat to analyze? In that case, you should mark In review and report it as an incident in the Circle icon corresponding to the alert by typing (reported)
reported-incident-ok.jpg
If the alert is a false positive, mark Complete and type false positive in the Observation field. Once the signal is completed, UTMStack will complete it automatically as a false positive every time it is generated.
  • Time: Date and time when the alert was generated.
  • Sensor: Display the data source that detected the event.
  • Source IP: The address IP where the event was started.
  • Source User: The user that originated the event.
  • Destination IP: The address IP that is targeted at the event.
  • Destination User: The user that is affected by the event.
  • Each alert row includes other icon options such as:
    • Selection box for the corresponding alert: This option is commonly used to select a set of alerts to apply them to the same tag, status, or incident. When you click on the Selection box, the options Apply tags, Apply rate, and Apply incident appears.
  • Filter icon: It filters the data of the corresponding alert you need to analyze. When clicking the Apply filters button, UTMStack will display all the alerts matching selected fields.
  • Circle icon: It's the option used to report an alert as an incident always that you mark the alert In review. It would be best to type (reported, incident, or any appropriate description) in the field Add incident. Then, click on Apply Incident. Automatically each incident will be notified via emails you specify in the UTMStack Settings.
  • Pencil icon: This allows you to add a note to the corresponding alert.
  • Tag icon: By default, UTMStack gives you a false positive tag.
If you add this tag to the corresponding alert by selecting it and clicking the button Add tag, all the incoming signals that match this tag rule will be automatically tagged as false positive.
You can create a new tag on + New tag.
By clicking Create tag rule, you can create or modify the power of the selected tag. UTMStack takes, by default, all the data of the corresponding alert and applies the operator (is). It's optional to assign the fields Rule name and Description. Also, you can delete any filter.

Type of Operators

  1. 1.
    is : Selects all alerts that match the specific data.
  2. 2.
    is not: Selects all alerts except those that match the particular data.
  3. 3.
    exists: Selects the signs where the detailed data exists.
  4. 4.
    does not exist: Selects the signals where the specific data does not exist.
  5. 5.
    contain: Selects all alerts that have the specified data.
  6. 6.
    does not contain: Selects all signs that do not include the specified data.
  7. 7.
    start with: Selects all watches that begin with the specified data.
  8. 8.
    does not start with: Select all signs that do not start with limited data.
  9. 9.
    end with: Select all watches that end with specified data.
  10. 10.
    does not end with: Selects all signs that do not end with limited data.
  • If you click on any part of the alert row: UTMStack details all the related information to the alert. Also, you can view the last log, changes history, and the Source IP on the map.
2. In this section, you can filter all the alerts according to their status (Open, In review, and Completed). By default, UTMStack displays all alerts.
3. In the Calendar icon, you can choose the time range that stores the alerts you want to analyze. By default, UTMStack displays the alerts during the last 7 days.
4. The Filters section has various ways to filter alerts that you want to see or investigate further.
  • Nut icon: This allows you to Manage filters as Inactive or Visible. By default, UTMStack has straight access to the Visible filters (Rule, Severity, Category, Sensor, and Tags).
  • Filter icon: It's used to Reset filters.
  • Filter by Search box: You can filter all the alerts that match a specific value by typing in the Search box that associated value with the rule, severity, category, sensor, tag, source IP, source user, destination IP, destination user, etc.
For example, display all the alerts with Category (Potential Malicious Activity).
  • Filter by Visible filters: Another way to filter alerts is doing straightly in the Visible filters. This option lets you filter down multiple alerts that simultaneously match different values. You can straightly select the value or search for it.
For example, let's show all the alerts with Source IP (146.88.240.10), Severity (Medium), Category (Misc Attack), and Sensor(nids).
5. Here, you have three more options
  • Save report: Exports alert reports according to all applied filters in the MANAGE ALERT panel. You can Limit the number of the alert to export. The information will be saved in a *.csv format.
  • Manage tags: Another option to Create and Delete designations.
  • View rules: Manage the regulations created in the correlation engine for the alerts.
Data Parsing - Previous
How to create filters in data parsing?
Next - Use Cases and Capabilities
Correlation features and Use Cases
Last modified 1mo ago