Alert Context Overview

Introduction

The Alert Context feature compiles information about contributing events to provide more context to help you better understand and investigate high-priority alerts triggered in your App Infrastructure Protection (AIP) environment.

Note

Alert Context is only available for Severity 1 (Sev 1) alerts on Audit and CloudTrail events.

Types of Alert Context

Alert Context answers several specific questions to help you quickly decide if a Sev 1 alert requires immediate follow-up.

Host Alerts CloudTrail Alerts
  • Has the user generated an event on this Agent in the past 30 days?
  • Has the user generated events within this organization in the past 30 days?
  • Has the user performed the specific action that generated this type of alert on this Agent in the past 30 days?
  • Has the user been active on this Agent during this time of day in the past 30 days?
  • Has the user performed tasks on the Agent using this source IP address in the past 30 days?
  • Has this identity performed other tasks that triggered this specific type of alert in the past 30 days?
  • Has this identity performed tasks using this source IP address in the past 30 days?
  • Has this identity generated events in this organization in the past 30 days?
  • Has this identity performed tasks using this authentication in the past 30 days?

Note

Context is stored for 30 calendar days after you check the alert.

View Alert Context
  1. Log into AIP.
  2. Click Alerts on the left navigation pane. The Alerts page displays.
    alertstab.png
  3. In the SEV 1 tab, click the List View tab. Your environment’s alerts display as a list.
    List view in the SEV 1 alerts tab.
  4. Click on an alert you want to see more information about. The Alert Details menu opens.

    Note

    On the Alert Details menu, you can view a summary of contributing events in the Highlights section. You can also click the View button next to any Highlight to open the Alert Context page.

  5. Click the Alert Context button.
    'In the Alert Details menu, click the Alert Context button above the Highlights section.

    The Alert Details page opens.
    The Alert Details page.
Navigate the Alert Details Page

On the Alert Details page, you can view context for specific alerts to help you decide if you want to suppress or dismiss the alert.

Note

You cannot suppress or dismiss alerts from this page. For information about how to suppress or dismiss alerts, see:

AIP flags highlights, user activity, IP addresses, and tasks as regular or anomalous.

  • Blue indicates regular behavior.
    Blue icon of an 'i' in a circle.
  • Yellow indicates anomalous behavior.
    Yellow icon of an exclamation point in a triangle.
Host Alert Details
The Alert Details page for Host events.
  1. Alert Information – Details about the alert you are currently viewing
  2. Highlights – An overview of the alert’s contributing events
  3. User Context – View more information about this Host alert
  4. Identity – Optionally, click the dropdown menu to select another identity
  5. User Activity – Hover your cursor over the histogram to view user activity trends
  6. Agents in this alert by User – Agent hostnames in this alert, sorted by user and frequency
  7. Most Common Agents by User – Agents in this alert sorted by frequency
  8. Sources in this alert by User – All sources in this alert, their destination, and frequency
  9. Most Common Sources by User – Sources in this alert sorted by frequency
  10. Processes in this alert by User – All processes in this alert, their executable (exe), and frequency
  11. Most Common Processes by User – Processes in this alert sorted by frequency
  12. Contributing Events – Click to view breakdowns of contributing events for the alert, including the type, executable (exe), and arguments.
CloudTrail Alert Details

The Alert Details page for CloudTrail alerts.

  1. Alert Information – Details about the alert you are currently viewing
  2. Highlights – An overview of the alert’s contributing events
  3. CloudTrail Context – View more information about this CloudTrail alert
  4. Identity – Optionally, click the dropdown menu to select another event
  5. Addresses in this alert by Identity – The number and frequency of events that have been generated by specific IP addresses
  6. Most Common Addresses by Identity – The IP addresses that have most frequently triggered this alert
  7. Tasks in this alert by Identity – The number and frequency of tasks that have been generated matching this alert
  8. Most Common Tasks by Identity – Tasks in this alert sorted by frequency
  9. Contributing Events – Click to view breakdowns of contributing events for the alert, including the event source, type, and source IP address.

For more information on Alert Context, see Get Context for an Alert (API Documentation)

Was this article helpful?
0 out of 0 found this helpful