Reviewing alerts

An alert is an automatic correlation of all events, processes, and activities associated with the detected behavior. Analysts can review an alert to understand the impact of a security incident, respond to the situation, and apply the protection that is needed to prevent the behavior from reoccurring.

About this task

Use the following method when you review alerts.
  1. Identify three types of processes: the subject process that triggered the alert, its parent process, and any child processes.
  2. For the parent, subject, and child processes, verify the legitimacy of these four areas.
    Area Questions to ask
    Authenticity Is it a trusted application? Is it signed by a trusted certificate?
    Parameters Do the command line parameters that are run with the application look legitimate and harmless?
    Behaviors Is the behavior of the process acceptable in your organization?
    Connections If the process created any connections, are they legitimate?


  1. Click Alerts.
  2. Click an alert in the alerts list.
    Tip: Use the search and filters to fine-tune the list of alerts.
  3. Review the details of the alert to determine the appropriate response.

    Processes that are associated with the alert are shown in circles. The number in the circle is the process ID. A blue circle indicates that the process triggered the alert. Events that are associated with the alert are shown in hexagons.

    A process or event in red indicates a high severity. Orange indicates a medium severity. Yellow indicates a low severity.

    A solid line between two processes indicates a parent-child relationship. A dashed line between a process and events means that the events are associated with that process.

    Click any process or event for more information about it.

  4. Close the alert as either a security incident or a false positive.