Threat Stack designed the Alert Trends histogram feature to help you understand trends of abnormal behaviors. This feature can help you accelerate the time it takes to manage alerts inside of Threat Stack.
The Feature
The Alerts page shows the Alert Trends histogram organized over time by the number and the severity of alerts found on a daily basis (we use UTC and translate to your local time). This can help you better track the “abnormal spikes” of alerts and review the behaviors that caused the events.
In the Alert Trends, you can drag the bracket along the histogram to the desired time period and view the behaviors that caused the alerts. As you move the bracket, the information in the right hand filter, Filter by Rule and Filter by Ruleset, changes to display relevant information, including the raw alerts related to the behaviors in the body of the alerts. It also shows the specific behaviors and events that you can use to determine further analysis and action.
Daily Use & Workflow
This section reviews the optimal workflow to help you manage (review, acknowledge, dismiss, or suppress) your alerts quickly using the Alert Trends view and the Alerts Filter.
Use Case: Review & Dismiss an Alert
In this scenario, you log into the Threat Stack application and notice the Alert Count on the left side menu. You click onto the Alerts page and notice the latest alerts, in chronological order, the most recent alerts first.
You review the Alert Trend histogram to confirm the following:
- The date with the most alerts
- The trend that caused the alerts since your last login
NOTE: Do not refresh the Alerts page while dismissing alerts. It can cause the page to incorrectly display the number of alerts.
In this example, the largest set of alerts happened on May 16th:
1. Slide the bracket along the histogram to the date that has the most number of alerts.
This displays the alerts related to that date at the top of the alert list.
2. Review the Filter by Rule section to see what Rule Filter that caught the alert behavior.
(in this case it is the {{exe}} activity :{{arguments}} ran by {{user}} behavior)
3. Select a specific alert to review the contributing events and see why the behavior happened.
4. You can select the alerts associated with the behavior and then:
- Acknowledge and dismiss the behavior
- Suppress the behavior (see the “How do I Suppress an Alert?” article)
For this example, we dismiss the alert.
Repeat this process as necessary. We recommend that you review other alert behavior spikes and use the dismiss, or suppress, functionality as needed.
Additional Alert articles include:
0 Comments