Reviewing alerts
An alert is an automatic correlation of all events, processes, and activities associated with the detected behavior. Analysts can review an alert to understand the impact of a security incident, respond to the situation, and apply the protection that is needed to prevent the behavior from reoccurring.
About this task
- Identify three types of processes: the subject process that triggered the alert, its parent process, and any child processes.
- For the parent, subject, and child processes, verify the legitimacy of these four areas.
Area Questions to ask Authenticity Is it a trusted application? Is it signed by a trusted certificate? Parameters Do the command line parameters that are run with the application look legitimate and harmless? Behaviors Is the behavior of the process acceptable in your organization? Connections If the process created any connections, are they legitimate? - Identify the status of the alert. The following table describes the possible values for the
Alert status.
Alert status Description Active One or more processes in the alert are still running. Inactive All the processes in the alert are terminated. Inactive Archived The alert is closed and is no longer tracked. No new events are correlated to the alert.