Reviewing alerts

An alert is an automatic correlation of all events, processes, and activities associated with the detected behavior. Analysts can review an alert to understand the impact of a security incident, respond to the situation, and apply the protection that is needed to prevent the behavior from reoccurring.

About this task

Use the following method when you review alerts.
  1. Identify three types of processes: the subject process that triggered the alert, its parent process, and any child processes.
  2. For the parent, subject, and child processes, verify the legitimacy of these four areas.
    Area Questions to ask
    Authenticity Is it a trusted application? Is it signed by a trusted certificate?
    Parameters Do the command line parameters that are run with the application look legitimate and harmless?
    Behaviors Is the behavior of the process acceptable in your organization?
    Connections If the process created any connections, are they legitimate?
  3. Identify the status of the alert. The following table describes the possible values for the Alert status.
    Alert status Description
    Active One or more processes in the alert are still running.
    Inactive All the processes in the alert are terminated.
    Inactive Archived The alert is closed and is no longer tracked. No new events are correlated to the alert.

Procedure

  1. Click Alerts.
  2. Click an alert in the alerts list.
    Tip: Use the search and filters to fine-tune the list of alerts.
  3. Review the details of the alert.

    Processes that are associated with the alert are shown in circles. The number in the circle is the process ID. A blue circle indicates that the process triggered the alert. Events that are associated with the alert are shown in hexagons.

    A process or event in red indicates a high severity. Orange indicates a medium severity. Yellow indicates a low severity.

    A solid line between two processes indicates a parent-child relationship. A dashed line between a process and events means that the events are associated with that process.

    An alert status indicates the current state of the alert: Active, Inactive, or Inactive Archived.

  4. Click any process or event and determine the appropriate response.
  5. Close the alert as either a security incident or a false positive.