Alerts notify you of what is most important. Using the Change Guardian web console, users can quickly triage alerts and determine which ones need a response.
For example, during the typical life cycle of an alert, a user will:
Open an alert view and either pick an alert already assigned to them or claim an unassigned alert.
View the alert details, such as the metadata, information about the alert rule that generated the alert, the triggering event and its identity information, and any knowledge base information associated with the alert.
Determine the next step and add comments about the decision:
Close as harmless
Respond appropriately, and then close
Investigate further
You can also define rules to store only specific alerts in the database so that the database does not get overloaded. You can also define retention policies to automatically close and delete alerts after a specific duration.
Real-time alert views in the Change Guardian web console show you the alerts that are most important to look at and enable you to view and manage alert details. Charts provide a summary of alerts and the table provides a prioritized list of all the alerts. Alert views also allow you to perform alert triage operations such as changing states of an alert, assigning alerts to users or roles, adding information to the knowledge base, and so on. You can further drill down into each alert to view the alert details such as trigger events, user identities involved, and alert history.
To view and analyze alerts, you must first create an alert view.
To create an alert view, you must either be an administrator or have the Manage Alerts permission.
To create an alert view:
Log in to the Change Guardian web console.
Click Real-time Views > Alert Views > the Create icon.
Specify the following:
Name
Sharing (public or private)
Data sources from which to view alerts
Filter criteria
Time range for which to view alerts
Alert period (created or modified)
Save the alert view.
Change Guardian provides a tabular representation of alerts that matches the specified alert criteria. The charts represent the alerts overview information classified by Priority, State, and Severity. The alert view table displays only distinct alerts. Duplicate alerts are rolled up to a single distinct alert. The alert view table provides information about an alert such as severity, priority, owner, state, occurrences, and so on.
IMPORTANT:The alerts are stacked based on the event fields and their values. The alerts are not stacked by time.
The Last Modified field will display the alert management activity. If you modify the owner, priority, or state of the alert, Last Modified field will be updated with the new timestamp.
To view alert views:
In the Change Guardian web console, click Real-time Views > Alert Views.
Select the desired alert view and click the Open the alert view icon.
As you monitor alerts, you can perform the following activities in the alert view:
Mouse over the charts to determine the number of alerts based on alert states, priority, and severity.
Sort alerts based on one or more columns in the table. Press Shift+click to select multiple columns to sort. By default, the alert view table displays alerts based on the time when the alerts were triggered. Therefore, the latest alerts are listed on the top in the table.
Assign alerts to a user or a role, including yourself or your role.
Modify the alert state to indicate the progress on the alert investigation.
Add comments to the alert to indicate the changes you made to the alert, which helps you to keep an up-to-date record of the alert investigation. For example, you can add comments when you change the state of a specific alert or when you have gathered more information about the alert. Providing specific comments allows you to accumulate knowledge about a particular instance of the alert and track how a particular condition was addressed. Comments are important in tracking the alert, particularly if the process of resolving the alert spans several users or roles.
View events that triggered the alert and drill down further to the extent of viewing the user identities that triggered the event by clicking the View details icon in the alert view table.
The Alert Details page displays a detailed information about an alert including the following:
Source: Displays the alert rule that generated the alert. You can also annotate the alert rule by adding information to the knowledge base so that future alerts generated by this alert rule include the associated historical information.
Knowledge Base: The knowledge base is a repository that contains information about the conditions that resulted in the alert. It can also include information about resolution of a particular alert, which can help others resolve similar alerts in the future. Over time, you can collect a valuable knowledge base about the alert specific to a tenant or an enterprise.
For example, an employee has recently joined the organization and is supposed to have the access permissions to a secured server. But this employee might not have been added yet to the authorized users list. Therefore, an alert is generated every time the employee tries to access the server. In such a case, you can add a note in the alert knowledge base to indicate that the “employee is approved to access the server, but is not yet listed in the authorized users list. This alert can be ignored and set to low priority.”
NOTE:To view or edit the knowledge base, you must be an administrator or have the View Knowledge Base or Edit Knowledge Base permissions.
Alert Fields: Displays the alert fields that provide the following information:
who and what caused the alert.
the assets affected.
the taxonomic categories of the action that caused the alert, the outcome, and so on. For more information on taxonomy, see Sentinel Taxonomy.
Trigger Events: Displays the events that triggered the correlated event associated with the alert. You can determine the conditions that triggered the alert by examining the trigger events.
Show history: Displays the changes made to the alert, which helps you track any actions taken on the alert.
Identities: Displays the list of users involved in the alert. This information helps you to investigate the users involved in the alert and monitor their activities.
If you are using a mixed environment with Change Guardian and Sentinel, you can use the alert dashboard in Sentinel to see a high-level overview of the alerts in your organization. The alert dashboard enables you to analyze and study common patterns in alerts, such as types of alerts, geographical locations from where the alerts originated, oldest open alerts, and alerts that took longest time to close.
You can configure alert routing rules to filter the alerts and choose to either store the alerts in the Change Guardian database or drop the filtered alerts.
Change Guardian evaluates the alert routing rules on a first-match basis in top-down order and applies the first matched alert routing rule to alerts that match the filter criteria. If no routing rule matches the alerts, Change Guardian applies the default rule against the alerts. The default routing rule stores all the alerts generated in Change Guardian.
To create an alert routing rule to filter the alerts:
Log in to the Change Guardian web console.
Click Routing > Alert Routing Rules > Create.
Specify the following information:
Name for the alert routing rule
Filter criteria
Action to take for alerts that match criteria, either store or drop
WARNING:If you select Drop, the filtered alerts are lost permanently.
Specify whether you want to enable the alert routing rule at this time.
Save the alert routing rule.
When there is more than one alert routing rule, you can reorder the alert routing rules by dragging them to a new position or by using the Reorder option. Alert routing rules evaluate alerts in the specified order until a match is made, so you should order the alert routing rules accordingly. Place more narrowly defined alert routing rules and more important alert routing rules at the beginning of the list.
Change Guardian processes the first routing rule that matches the alert based on the criteria. For example, if an alert passes the criteria for two routing rules, only the first rule is applied. The default routing rule always appears at the end.
The alert retention policies control when the alerts should be closed and deleted from Change Guardian. If a user does not manually close an alert, it remains open. Alerts notify you of a recent event, so the older an alert is, the less valuable it is. You can configure the alert retention policies to set the duration to automatically close and delete the alerts from Change Guardian.
To configure the alert retention policy:
Log in to the Change Guardian web console.
Click Storage > Alert.
Specify the following:
The number of days from the date of creation of alerts, after which the alert status is set to closed.
The number of days from the date of closure of alerts, after which the alerts are deleted from Change Guardian.
Save the alert retention policy.