Alert Trends Functionality

Overview

Threat Stack designed the Alert Trends histogram feature to help you understand trends of abnormal behaviors. This feature can help you accelerate the time it takes to manage alerts inside of Threat Stack.

The Feature

The Alerts page shows the Alert Trends histogram organized over time by the number and severity of alerts found on a daily basis. This can help you better track the abnormal spikes of alerts and review the behaviors that caused the events.

In the Alert Trends, you can select a desired time frame along the histogram to view the behaviors that caused the alerts. As you move the vertical markers to your desired timeline, the information in the right view pane, such as "Filter by Rule" and "Filter by Tags", changes to display relevant content related to the behaviors in the body of the alerts. The filter pane also shows the specific behaviors and events to help you determine whether any further analysis and action is required.

Daily Use and Workflow

This section reviews the optimal workflow to help you manage (review, acknowledge, dismiss, or suppress) your alerts quickly using the Alert Trends view and the Alerts filter.

Use Case: Review and Dismiss an Alert

In this scenario, you log into Threat Stack and navigate to the Alerts page. Click List View to display the latest alerts in chronological order, with the most recent alerts appearing first.

You review the Alert Trend histogram to confirm the following:

• The date with the most alerts
• The trend that caused the alerts since your last login

In this example, the largest set of alerts was generated between August 15th and August 19th.

1. Move the vertical markers along the histogram to the date range with the most number of alerts.

   
   

2. All alerts generated during that timeframe are displayed. Ensure List View is selected for a detailed list of the alerts.

   
   

3. Review the Filter by Rule pane to determine the rule filter that caught the alert behavior.
   • In this example, some of the rule filters were:
     • CloudTrail Activity (Access Denied) for {{eventName}} by {{user}}
     • CloudTrail: KMS Read Event: {{user}} {{eventName}} in account {{accountId}}

   

4. Select a specific alert to review the contributing events and determine why the behavior happened.

   
   

5. You can select the alerts associated with the behavior and then:
   • Acknowledge and dismiss the behavior (see the Life Cycle of an Alert article for resolving an alert)
   • Suppress the behavior (see the How do I Suppress an Alert? article)

   For this example, we dismiss the alert by clicking the Dismiss 1 Alert button.

   

6. Repeat this process as necessary. We recommend reviewing other alert behavior spikes and use the dismiss or suppress functionality as needed.