Alert Trends Functionality
Overview
Threat Stack designed the Alert Trends histogram feature to help you understand trends of abnormal behaviors. This feature can help you accelerate the time it takes to manage alerts inside of Threat Stack.
Important
The default view of the Alert Trends histogram is seven days. Double click the histogram to display a date range covering one year.
The Feature
The Alerts page shows the Alert Trends histogram organized over time by the number and severity of alerts found on a daily basis. This can help you better track the abnormal spikes of alerts and review the behaviors that caused the events.
In the Alert Trends histogram, you can select a desired time frame along the histogram to view the behaviors that caused the alerts. As you move the vertical markers to your desired timeline, the information in the right view pane, such as "Filter by Rule" and "Filter by Tags", changes to display relevant content related to the behaviors in the body of the alerts. The filter pane also shows the specific behaviors and events to help you determine whether any further analysis and action is required.
Daily Use and Workflow
This section reviews the optimal workflow to help you manage (review, acknowledge, dismiss, or suppress) your alerts quickly using the Alert Trends view and the Alerts filter.
Use Case: Review and Dismiss an Alert
In this scenario, you log into Threat Stack and navigate to the Alerts page. Click List View to display the latest alerts in chronological order, with the most recent alerts appearing first.
Review the Alert Trends histogram to confirm:
- The date with the most alerts
- The trend that caused the alerts since your last login
Important
Requests to dismiss alerts are queued and do not occur in real time. Hence, refreshing the Alerts page immediately after dismissing an alert can cause the page to incorrectly display the alert count.
In this example, the largest set of alerts was generated between August 15th and August 19th.
- Move the vertical markers along the histogram to the date range with the most number of alerts.
- All alerts generated during that timeframe are displayed. Ensure List View is selected for a detailed list of the alerts.
- Review the Filter by Rule pane to determine the rule filter that caught the alert behavior.
- In this example, some of the rule filters were:
- CloudTrail Activity (Access Denied) for {{eventName}} by {{user}}
- CloudTrail: KMS Read Event: {{user}} {{eventName}} in account {{accountId}}
- In this example, some of the rule filters were:
- Select a specific alert to review the contributing events and determine why the behavior happened.
- You can select the alerts associated with the behavior and then:
- Acknowledge and dismiss the behavior (see Life Cycle of an Alert to resolve an alert)
- Suppress the behavior (see How do I Suppress an Alert?)
For this example, we dismiss the alert by clicking the Dismiss 1 Alert button.
- Repeat this process as necessary. We recommend reviewing other alert behavior spikes and use the dismiss or suppress functionality as needed.