About Alerts

An Alert signifies a potential security threat or unusual activity detected across monitored platforms. Alerts are stored in the Alerts Database and can be associated with related Incidents in the Incident Database for effective tracking and response. Ideally, Alerts should be triaged and linked to an Incident when they provide relevant context or evidence.

Alert Actions

• Create Incident
  • This will automatically create an Incident and cross-link it with the alert.
  • The alert generated timestamp becomes the first Timeline entry in the incident.
  • The alert becomes automatically marked as status: “Reviewed” and disposition: “True Positive”
• Mark False Positive
  • This will automatically close the alert as “Reviewed” with disposition of “False Positive”

Alerts Database Fields

Alerts contain the following fields:

• Name
  • A brief description of the alert, typically summarizing the observed activity or anomaly.
• Affected Assets
  • Links to affected hosts in the Hosts Database. When an alert is created, it either links to an existing asset in the database or creates a new asset using the internal IP address and hostname provided by the alert.
• Details
  • The full event details captured during detection.
• Metadata
  • Supplementary data associated with the alert, such as references or MITRE tags, etc.
• Alert Generated
  • The timestamp indicating when the alert was generated. This is the true alert generation time, not the time it was ingested into NIMS.
• Alert Disposition
  • Indicates whether the alert is a true positive or a false positive. Possible values are:
    • Empty (default)
    • Indeterminate
    • False Positive (gets updated to "False Positive" when the "Mark False Positive" button is clicked)
    • True Positive
• Alert Status
  • Indicates the current review status of the alert. Possible values are:
    • Needs Review (default status when an alert is created)
    • Reviewed (status changes after clicking the "Create Incident" button)
• Created Time
  • The timestamp when the alert was added to the database.
• Related Incident
  • The Incident this alert has been added to. Defaults to empty but updates to the associated Incident in the Incident Database after clicking the "Create Incident" button.
• Related URL
  • A link to the alert's source in the SIEM/SOC platform.