Life Cycle of an Alert

Overview

This article reviews the life cycle of an alert to help you better understand how to perform the following actions:

  1. Create a rule
  2. Maximize the effectiveness of that rule
  3. Review an alert
  4. Resolve an alert

Use Case

You want to create a rule that shows a Severity 2 alert when 5 'sudo' commands happen in an hour. This rule has Threat Stack generate an alert anytime a user escalates their privileges on the monitored host using the `sudo` command.

The alert life cycle starts when you create a rule on the Threat Stack Rules page.

1. Create a Rule

Every rule must include the following components:

  • Rule Name: It indicates the name of the ruleset.
  • Alert Title: It indicates the name and substitutions (dynamic content) which add context to the alert.
  • Alert Description: It indicates a brief summary of the alert.
  • Aggregate Fields: It helps define the uniqueness of an alert. See Rule Aggregation for additional information about aggregate options.
  • Trigger an alert if an event matching this rule occurs at least: It indicates the frequency for generating an alert. You can specify how often to display an alert within a certain time frame.
  • Rule Filter : It indicates the criteria the filter is using to decide if an alert should display.
  • Severity: There are three levels of behaviors to indicate the severity of the alert.
    • Severity 1 alerts are the highest elevation of behaviors.
    • Severity 2 alerts are the second highest elevation of behaviors.
    • Severity 3 alerts are the third highest elevation of behaviors.

Note

You should select the aggregation fields that match the substitution fields in the alert title (For example, if you want to substitute "exe" and "user" dynamically with the "user" and "executable", you should select user and exe as the aggregation fields).

Example of Rule Creation

The example below walks you through the process of cloning and modifying an existing "Privilege Escalations" rule in the Base Ruleset. You can clone an existing rule by navigating to the Rules page.

  1. Click the + New Rule button.


    Create_new_rule.png

  2. The Add Host Rule dialog displays.


    Add_host_rule_dialog.png

  3. Select Clone Existing Rule and click the Next: Details button.


    Clone_existing_rules.png

  4. In the Select existing rules to clone field, search and select the existing Privilege Escalations rule.


    4.png

  5. After making your selection, click the Clone 1 Rule button.
  6. The cloned rule will be displayed in the rules list.


    5.png

  7. You can confirm the Severity of alerts associated with the rule. If necessary, change the severity level by clicking the severity button for your desired alert level.
  8. In the right view pane, the Details screen displays. You can make changes to the following:
    1. Rule Name
    2. Alert Title
    3. Alert Description
    4. Aggregate Fileds
    5. Frequency of alert


    6.png

    Note

    In the Aggregate Fields, confirm you have the correct aggregations selected.

  9. In this example, the following updates were made:
    • The Rule Name field was updated to Sudo five in an hour {{exe}} by {{user}} with arguments {{arguments}}.
    • The Alert Title field was updated to User Activity (Sudo five in an hour) {{exe}} ran by user {{user}} with {{arguments}}.
    • The Alert Description field was updated to This alert tracks all sudo ran by a non-root user and alerts you if users run 5 sudo commands in an hour.
    • The alert frequency field was updated to 5 times, and the time window for the alert was updated to 1 hour.


    7.png

  10. Click the Update Rule button to save your changes.
  11. Navigate to the Rule Filter pane.


    8.png

  12. In the Filter field enter the following filter criteria: command = "sudo" and type ="start".
  13. Click the Update Rule Filter button .


    9.png

  14. You have successfully created a new rule.
2. Maximize the Effectiveness of the Rule

When you create a rule, you have the option to select aggregations, alert thresholds, and a time window.

Aggregation Field

Aggregate fields define the uniqueness of the alert.

In our example for rule creation, we selected "execute" and "arguments" as aggregations. Hence, if a user executes the same command within the same argument more than once, Threat Stack considers it an identical event and updates the original alert within the alert threshold.

Within the context of aggregation, if a user performs the same execution but enters a different argument, a new unique alert displays since Threat Stack considers it a different alert.


10.png

Alert Thresholds

The alert threshold counts the number of times an event matches the defined filter and aggregations. It displays an alert only after the count matches the alert criteria.

In our example, we had you set the alert threshold as "5 events in a 1 hour period". This means, if a user executes the same argument 5 times within an hour then Threat Stack generates only 1 alert.


11.png

Time Window

The time window is the span of time specified to generate an alert based on the number of times an event was executed.

In our example, if the same alert generates more than once within a time window, Threat Stack would update the existing alert instead of generating a new alert. When Threat Stack updates an existing alert, it attaches the event to the alert record for you to review.

You can learn more about alerts in the Threat Stack Dashboard in the "Review an Alert" section below.


12.png

3. Review an Alert

At this point you have created a rule and specified the criteria for an alert. We can now review what an alert looks like on the Alerts page if an event triggers it.

The Alerts Page

As a reminder, the Alerts page contains:

  • Organized view (default and customizable tabs)
    • By default, Threat Stack sorts alerts by severity, type, active, or dismissed.
  • Search field
  • Alert trends over time (histogram)
  • Alert information table and filter rule and ruleset details

Alerts_page.png

Reviewing Alerts

We recommend using the Alert Trends histogram to navigate to alert spikes. This can help you access alert details quickly and efficiently review additional information.

14.png

In the Alert Trends, you can select a desired time frame along the histogram to view the behaviors that caused the alerts. As you move the vertical markers to your desired timeline, the information in the right view pane, such as "Filter by Rule" and "Filter by Tags", changes to display relevant content related to the behaviors in the body of the alerts. The filter pane also shows the specific behaviors and events to help you determine whether any further analysis and action is required.

Alers_filter.png19.png

Alert Details Information

When reviewing alerts in list view, the following information is displayed:

  1. Severity level of the alert
  2. Title of the alert
  3. Date and time of the alert
  4. Alert suppression icon

16.png

Select an alert to view detailed event information.

17.png

Additional information about the events contributing to the alert are displayed, such as:

  1. The date and time of the first event that triggered the alert (The default timestamp).
  2. The timestamp of the last event that contributed to the alert.
  3. The last five contributing events related to the alert.

Clicking the View Contributing Events link displays the last five contributing events in chronological order starting with the most recent event.


18.png

4. Resolve an Alert

On the Alerts page, you can view, suppress, and dismiss alerts. The "Dismiss Alert" functionality enables you to acknowledge particular behaviors and track the dismissed alerts for compliance.

Dismissing an Alert vs Suppressing an Alert

When you dismiss an alert, it removes it from view. If the behavior happens again the alert will re-appear.

Suppressing an alert whitelists the behavior. Hence, you will not see the alert again. If you suppress an alert, it indicates you don’t want to receive alerts about the behavior. See the How do I Suppress an Alert? article for more information.

Dismissing an Alert

Dismissing an alert indicates you have reviewed and acknowledged a particular behavior, or a set of behaviors. From a compliance perspective, a record of dismissed alerts shows an auditor you reviewed and acknowledged particular behaviors.

Note

You don’t dismiss at the alert level. You dismiss alerts at the rule level.

To dismiss an alert or multiple alerts, navigate to the Alerts page.

  1. On the Alert Trends histogram, navigate to an alert spike using the vertical markers.


    Alert_histogram_sev3.png

  2. After selecting an alert timeline, review the Filter by Rule pane for the rule filter that triggered the alert behavior.


    20.png

  3. Select a specific alert to review the contributing events and determine why the behavior happened.


    21.png

  4. Select the checkbox for the alert. The Dismiss pane displays in the right view.


    Dismiss_alert_window.png

  5. Select your Dismiss Alerts Reason and click the Dismiss [#] Alert button.


    Dismiss_alert_reason.png

  6. You can review dismissed alerts in the Dismissed Alerts tab.


    Dismissed_alerts.png

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request