App Infrastructure Protection (AIP) is a behavior-based anomaly detection platform based on telemetry delivered into the platform from various sources, including your host and your infrastructure.
Alerts are behavior anomalies elevated from the stream of raw telemetry by rule filters. Alerts contain two main components:
- The alert title
- The contributing events
|Contributing Events||The raw telemetry that caused the anomaly to happen.|
|Alert Title||The name and substitutions (dynamic content) that adds context to the alert.|
The substitution fields should match the aggregation fields selected for the alert. The aggregation fields define the uniqueness of the alerts. For additional information on aggregations, see Life Cycle of an Alert.
Alerts trigger when AIP detects a behavior anomaly deemed inappropriate based on the rules you enabled or created. Rules require a filter to match behaviors against raw telemetry.
|Telemetry||Events and behavior anomalies.|
|Rules||Behaviors that you want to catch from the raw telemetry stream.|
Rule Filter Example
|Behavior to Catch||Rule Filter|
|Privilege escalations||command =“sudo”|
|User access||Event_type =“login"|
If a rule displays alerts for behavior you consider baseline or normal, you can create a suppression filter to have it no longer report that behavior. The content should match the aggregation fields selected for the alert. The aggregation fields define the uniqueness of the alerts. See How do I Suppress an Alert? for more information.
AIP includes three levels of elevation of behaviors to indicate the severity of the alert:
- Severity 1 (Sev 1): The highest elevation of behaviors.
- Recommended for behaviors and scenarios that should wake you up in the middle of the night. Only used for behavior anomalies where an action and remediation runbook exists.
- Severity 2 (Sev 2): The second highest elevation of behaviors.
- Recommended for behaviors you want to monitor and review with stakeholders to improve over time.
- Severity 3 (Sev 3): The third highest elevation of behaviors.
- Recommended for behaviors that companies log for compliance or forensics purposes.
In the left navigation bar, select the Alerts tab. The Alerts page displays the following information:
- Alert Trends over time in the form of a histogram
- Alerts sorted by severity, type, active or dismissed
- Alert information table including filter rule and ruleset details
On the Alerts page, you can:
- Select an alert to review its alert details
- Suppress an alert
- Dismiss an alert (if you dismiss an alert, it displays in the Dismissed Alerts tab)
For more information, see Alert View.
If a rule that triggered an alert is deleted, a generic icon () displays on the Alerts page instead of the icon associated with the triggered rule.
The Alerts page offers both search and filter capabilities to help refine your search queries.
Search — Search for specific alerts using keywords in the rule that triggered the alert, such as user, timestamp, or session identification (ID).
Filters button — By default, filters display on the Alerts page. To hide filters, click the Filters button. The button turns grey, and the filters no longer display.
Source — Select a checkbox to only view alerts from the selected source.
Rule Type — Select a checkbox to only view alerts generated by the selected rule type.
Rule Name — Select a checkbox to only view alerts generated by the selected rule. If there are more rules than can be displayed by default, then click the +More button. To search for particular rules, type a keyword from the rule name in the Filter Rule Name field.
Ruleset — Select a checkbox to only view alerts generated by the selected ruleset. To search for a particular ruleset, type a keyword from the ruleset name in the Filter Ruleset field.
Severity — Select a checkbox to only view alerts of the selected level of severity.
Classifiers — Select one or more checkboxes to only view alerts with the selected classifier(s). To search for particular rules, type a keyword from the classifier in the Filter Classifiers field.