Organizing, viewing and curating alerts is a vital piece of the workflow in managing security of cloud environments. Based on customer feedback, and our internal use, we re-designed our alert management UX and workflow to address the following issues:
- Significantly faster page loading. Even with thousands of open alerts.
- Quickly search through alerts - example: show me all alerts that have a particular user name or ones with a specific command or argument(s).
- Create focus area - example: every time I come into the app, I want to see alerts from my database servers.
- Tabs as focus areas: We narrowed in on the well-known concept of browser tabs as focus areas, with in-built default tabs and the ability for customers to create and save their own tabs. Each tab can be customized to match the originating rule sets and/or originating servers (EC2 tags).
- "Live Alert Loading": The new alert page will load the alerts as they come in as opposed to letting the user wait until all the alerts come into the app.
- Search on alert titles: All tabs have a search field. Results appear as the users type in the words in the search bar.
Tabs - Default and user
Tabs - Features
Below is an example of custom tabs created for insider threats, external threats and data loss use cases.
Insider threats tab, with alerts related to privilege escalations on hosts, security group changes from CloudTrail, access denied errors from CloudTrail, and other related events.
External threats tab, with alerts related to unauthorized connections to external hosts.
Data loss tab, with alerts related to file transfers.