Threat Stack's Alert Trends histogram feature helps you understand trends of abnormal behaviors and can help you accelerate the time it takes to manage alerts inside of Threat Stack. For more information about alerts, see Alert Feature Overview.
The default view of the Alert Trends histogram shows seven days. Double click the histogram to display a date range covering one year.
The Alerts page shows the Alert Trends histogram organized over time by the number and severity of alerts found on a daily basis. This can help you better track abnormal spikes of alerts and review the behaviors that caused the events.
In the Alert Trends histogram, you can select a desired time frame to view the behaviors that caused the alerts. Click and drag your cursor to select a date range on the histogram. The information in Group View or List View and Alert Filters changes to display content relevant to the behaviors during the time frame you specified.
You can search for specific alerts using keywords in the rule that triggered the alert, such as user, timestamp, or session identification (ID).
Search for specific rules in the Search field. As you type, available filters and search results adjust based on the parameters you enter.
The Alert Filters section shows the specific rules and behaviors you can use to filter your search.
- Filters button — By default, filters display on the Alerts page. To hide filters, click the Filters button. The button turns gray and the filters no longer display.
- Source — Select one or more checkboxes to only view alerts from the selected source(es).
- Rule Type — Select one or more checkboxes to only view alerts generated by the selected rule type(s).
- Rule Name — Select one or more checkboxes to only view alerts generated by the selected rule(s). If there are more rules than can be displayed by default, then click the +More button. To search for particular rules, type a keyword from the rule name in the Filter Rule Name field.
- Ruleset — Select one or more checkboxes to only view alerts generated by the selected ruleset(s). To search for a particular ruleset, type a keyword from the ruleset name in the Filter Ruleset field.
- Severity — Select one or more checkboxes to only view alerts of a particular level of severity.
- Classifiers — Select one or more checkboxes to only view alerts from the selected rule classifier(s). To search for particular rules, type a keyword from the classifier in the Filter Classifiers field.
You can use the Alert Trends histogram and the Alert Filters to help you quickly manage (review, acknowledge, dismiss, or suppress) alerts.
To review and dismiss an alert:
- Log into Threat Stack.
- In the left navigation pane, click Alerts. The Alerts page displays.
- On the Alert Trends histogram, click and drag your cursor to select a date range. All alerts generated during that timeframe display.
- Review the Alert Filters section to determine the rule filter(s) that caught the alert behavior.
- Select a specific alert to review details to help you determine what event triggered the alert. From the Alert Details sections in both Group View and List View, you can:
- Acknowledge and dismiss the behavior (see Life Cycle of an Alert)
- Suppress the behavior (see How do I Suppress an Alert?)
Requests to dismiss alerts are queued and do not occur in real time. Hence, refreshing the Alerts page immediately after dismissing an alert can cause the page to incorrectly display the alert count.
- Repeat this process as necessary. Threat Stack recommends reviewing other alert behavior spikes and using the dismiss or suppress functionality as needed.