Alert Trends Functionality

Overview

Threat Stack designed the Alert Trends histogram feature to help you understand trends of abnormal behaviors. This feature can help you accelerate the time it takes to manage alerts inside of Threat Stack.

Alerts_page.png

Important

The default view of the Alert Trends histogram is seven days. Double click the histogram to display a date range covering one year.

The Feature

The Alerts page shows the Alert Trends histogram organized over time by the number and severity of alerts found on a daily basis. This can help you better track the abnormal spikes of alerts and review the behaviors that caused the events.

In the Alert Trends histogram, you can select a desired time frame along the histogram to view the behaviors that caused the alerts. As you move the vertical markers to your desired timeline, the information in the right view pane, such as "Filter by Rule" and "Filter by Tags", changes to display relevant content related to the behaviors in the body of the alerts. The filter pane also shows the specific behaviors and events to help you determine whether any further analysis and action is required.

15.png

Daily Use and Workflow

This section reviews the optimal workflow to help you manage (review, acknowledge, dismiss, or suppress) your alerts quickly using the Alert Trends view and the Alerts filter.

Use Case: Review and Dismiss an Alert

In this scenario, you log into Threat Stack and navigate to the Alerts page. Click List View to display the latest alerts in chronological order, with the most recent alerts appearing first.

You review the Alert Trends histogram to confirm the following:

  • The date with the most alerts
  • The trend that caused the alerts since your last login

Important

Requests to dismiss alerts are queued and do not occur in real time. Hence, refreshing the Alerts page immediately after dismissing an alert can cause the page to incorrectly display the alert count.

In this example, the largest set of alerts was generated between August 15th and August 19th.

    1. Move the vertical markers along the histogram to the date range with the most number of alerts.


      19.png

    2. All alerts generated during that timeframe are displayed. Ensure List View is selected for a detailed list of the alerts.


      AlertListView.png

    3. Review the Filter by Rule pane to determine the rule filter that caught the alert behavior.
      • In this example, some of the rule filters were:
        • CloudTrail Activity (Access Denied) for {{eventName}} by {{user}}
        • CloudTrail: KMS Read Event: {{user}} {{eventName}} in account {{accountId}}

      Filter_by_rule.png

    4. Select a specific alert to review the contributing events and determine why the behavior happened.


      Contributing_event_.png

    5. You can select the alerts associated with the behavior and then:

      For this example, we dismiss the alert by clicking the Dismiss 1 Alert button.

      Dismiss_alert_reason_selected.png

    6. Repeat this process as necessary. We recommend reviewing other alert behavior spikes and use the dismiss or suppress functionality as needed.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request