Threat Stack designed the Alert Trends histogram feature to help you understand trends of abnormal behaviors. This feature can help you accelerate the time it takes to manage alerts inside of Threat Stack.

The Feature

The Alerts page shows the Alert Trends histogram organized over time by the number and the severity of alerts found on a daily basis (we use UTC and translate to your local time). This can help you better track the “abnormal spikes” of alerts and review the behaviors that caused the events.

In the Alert Trends, you can drag the bracket along the histogram to the desired time period and view the behaviors that caused the alerts. As you move the bracket, the information in the right hand filter, Filter by Rule and Filter by Ruleset, changes to display relevant information, including the raw alerts related to the behaviors in the body of the alerts. It also shows the specific behaviors and events that you can use to determine further analysis and action.

Daily Use & Workflow

This section reviews the optimal workflow to help you manage (review, acknowledge, dismiss, or suppress) your alerts quickly using the Alert Trends view and the Alerts Filter.

Use Case: Review & Dismiss an Alert

In this scenario, you log into the Threat Stack application and notice the Alert Count on the left side menu. You click onto the Alerts page and notice the latest alerts, in chronological order, the most recent alerts first. 

You review the Alert Trend histogram to confirm the following:

• The date with the most alerts
• The trend that caused the alerts since your last login

_____________________________________________________________________________

IMPORTANT:

1. Requests to dismiss alerts are queued and are not in real time. This means that refreshing the Alerts page immediately after dismissing alerts can cause the page to incorrectly display the alert count.
2. The Alerts widget on the Dashboard page is not real time and does not immediately reflect the actions, such as alert dismissals.

_____________________________________________________________________________

In this example, the largest set of alerts happened on May 16th:

1. Slide the bracket along the histogram to the date that has the most number of alerts.

This displays the alerts related to that date at the top of the alert list.

2. Review the Filter by Rule section to see what Rule Filter that caught the alert behavior.

(in this case it is the {{exe}} activity :{{arguments}} ran by {{user}} behavior)

3. Select a specific alert to review the contributing events and see why the behavior happened.

4. You can select the alerts associated with the behavior and then:

• Acknowledge and dismiss the behavior
• Suppress the behavior (see the “How do I Suppress an Alert?” article)

For this example, we dismiss the alert.

Repeat this process as necessary. We recommend that you review other alert behavior spikes and use the dismiss, or suppress, functionality as needed.

Additional Alert articles include:

• Alert Feature Overview
• Life Cycle of an Alert
• How do I Suppress an Alert?
• Alert API Overview