Reviewing alerts

Edit online

An alert is an automatic correlation of all events, processes, and activities associated with the detected behavior. Analysts can review an alert to understand the impact of a security incident, respond to the situation, and apply the protection that is needed to prevent the behavior from reoccurring.

About this task

Use the following method when you review alerts.

Identify three types of processes: the subject process that triggered the alert, its parent process, and any child processes.

For the parent, subject, and child processes, verify the legitimacy of these four areas.

Area	Questions to ask
Authenticity	Is it a trusted application? Is it signed by a trusted certificate?
Parameters	Do the command line parameters that are run with the application look legitimate and harmless?
Behaviors	Is the behavior of the process acceptable in your organization?
Connections	If the process created any connections, are they legitimate?

Procedure

Click Alerts.
Click an alert in the alerts list.

Tip: Use the search and filters to fine-tune the list of alerts.
Review the details of the alert to determine the appropriate response.

Processes that are associated with the alert are shown in circles. The number in the circle is the process ID. A blue circle indicates that the process triggered the alert. Events that are associated with the alert are shown in hexagons.

A process or event in red indicates a high severity. Orange indicates a medium severity. Yellow indicates a low severity.

A solid line between two processes indicates a parent-child relationship. A dashed line between a process and events means that the events are associated with that process.

Click any process or event for more information about it.
- If the alert is a false positive, create an allowlist policy. For more information, see Creating an allowlist policy.
- Create a blocklist policy. For more information, see Creating a blocklist policy.
- Isolate the endpoint to prevent the threat from spreading, and to prevent exfiltration of data. For more information, see Isolating an endpoint.
- End the threat process and any related malicious processes. For more information, see Monitoring an endpoint.
- Quarantine the file that is associated with the alert to remediate the threat. For more information, see Managing quarantined files.
- Download the file that is associated with the alert for further investigation. For more information, see Downloading files from the QRadar® EDR Brain to your workstation.
- Hunt the threat in your organization to determine whether other endpoints are affected. For more information, see Hunting threats.
Close the alert as either a security incident or a false positive.