Alert Trends Functionality

Overview

Threat Stack's Alert Trends histogram feature helps you understand trends of abnormal behaviors and can help you accelerate the time it takes to manage alerts inside of Threat Stack. For more information about alerts, see Alert Feature Overview.

Alert Trends Histogram

alerts-page.png

Important

The default view of the Alert Trends histogram shows seven days. Double click the histogram to display a date range covering one year.

The Alerts page shows the Alert Trends histogram organized over time by the number and severity of alerts found on a daily basis. This can help you better track abnormal spikes of alerts and review the behaviors that caused the events.

In the Alert Trends histogram, you can select a desired time frame to view the behaviors that caused the alerts. Click and drag your cursor to select a date range on the histogram. The information in Group View or List View and Alert Filters changes to display content relevant to the behaviors during the time frame you specified.

Search and Filter

alertfilters.png

Search

You can search for specific alerts using keywords in the rule that triggered the alert, such as user, timestamp, or session identification (ID).

Search for specific rules in the Search field. As you type, available filters and search results adjust based on the parameters you enter.

Filter

The Alert Filters section shows the specific rules and behaviors you can use to filter your search.

  1. Filters button — By default, filters display on the Alerts page. To hide filters, click the Filters button. The button turns gray and the filters no longer display.
  2. Source — Select one or more checkboxes to only view alerts from the selected source(es).
  3. Rule Type — Select one or more checkboxes to only view alerts generated by the selected rule type(s).
  4. Rule Name — Select one or more checkboxes to only view alerts generated by the selected rule(s). If there are more rules than can be displayed by default, then click the +More button. To search for particular rules, type a keyword from the rule name in the Filter Rule Name field.
  5. Ruleset — Select one or more checkboxes to only view alerts generated by the selected ruleset(s). To search for a particular ruleset, type a keyword from the ruleset name in the Filter Ruleset field.
  6. Severity — Select one or more checkboxes to only view alerts of a particular level of severity.
  7. Classifiers — Select one or more checkboxes to only view alerts from the selected rule classifier(s). To search for particular rules, type a keyword from the classifier in the Filter Classifiers field.
Manage Alerts in Alert Trends

You can use the Alert Trends histogram and the Alert Filters to help you quickly manage (review, acknowledge, dismiss, or suppress) alerts.

To review and dismiss an alert:

  1. Log into Threat Stack.
  2. In the left navigation pane, click Alerts. The Alerts page displays.
  3. On the Alert Trends histogram, click and drag your cursor to select a date range. All alerts generated during that timeframe display.
    19.png
  4. Review the Alert Filters section to determine the rule filter(s) that caught the alert behavior.
    alertfilters.png
  5. Select a specific alert to review details to help you determine what event triggered the alert. From the Alert Details sections in both Group View and List View, you can:

    Important

    Requests to dismiss alerts are queued and do not occur in real time. Hence, refreshing the Alerts page immediately after dismissing an alert can cause the page to incorrectly display the alert count.

  6. Repeat this process as necessary. Threat Stack recommends reviewing other alert behavior spikes and using the dismiss or suppress functionality as needed.
Was this article helpful?
0 out of 0 found this helpful