Change Guardian provides several ways to view alerts. The alerts you can view depend on the alert permissions applicable to your role and the tenancy of your role. For more information about permission to manage alerts, see Configuring Users and Roles in the Change Guardian Installation and Administration Guide.
Change Guardian provides the following ways for you to view alerts in real time and triage them:
Threat Response Dashboard The Threat Response dashboard provides an overview of your current workload by breaking down alerts in groups, such as status, assignment, and priority. With the alerts grouped in this way, you can focus on and triage the high priority alerts assigned to you before triaging other alerts.
To view alert details, click on any of the numbers or graphs.
Launch multiple pages in the browser
Share content with colleagues using a URL
Bookmark pages for quick access
NOTE:For users in the Operator role, the Threat Response dashboard is the main user interface for viewing and triaging alerts. Any user with permission to manage alerts can also use it. Users who wish to use alert views in the Administration Console, or do not have permission to view or manage alerts on the Threat Response dashboard, can use Real-time Views in Administration Console.
Alerts View In the Change Guardian Administration Console, alert views provide a graphical and tabular representation of alerts that match the specified alert criteria. Charts provide a summary of alerts and the table provides high-level information about individual alerts. Change Guardian provides some alert views, but you can also create your own alert views and customize the alert criteria as necessary.
The alert table displays only distinct alerts. Duplicate alerts are rolled up to a single distinct alert. You can view the IP address of the remote Change Guardian server by moving the mouse over the name of the alert.
As you monitor alerts, you can perform the following activities in the Threat Response Dashboard as well as the Alert View:
Mouse over the charts to determine the number of alerts based on alert states, priority, and severity.
Sort alerts based on one or more columns in the table. Press Shift+click to select multiple columns to sort. By default, the alert view table displays alerts based on the time when the alerts were triggered. Therefore, the latest alerts are listed on the top in the table.
Assign alerts to a user or a role, including yourself or your role.
Modify the alert state to indicate the progress on the alert investigation.
Add comments to the alert to indicate the changes you made to the alert, which helps you to keep an up-to-date record of the alert investigation. For example, you can add comments when you change the state of a specific alert or when you have gathered more information about the alert. Providing specific comments allows you to accumulate knowledge about a particular instance of the alert and track how a particular condition was addressed. Comments are important in tracking the alert, particularly if the process of resolving the alert spans several users or roles.
View events that triggered the alert and drill down further to the extent of viewing the user identities that triggered the event by clicking the View details icon in the alert view table.
The Alert Details page displays a detailed information about an alert including the following:
Source: Displays the alert rule that generated the alert. You can also annotate the alert rule by adding information to the knowledge base so that future alerts generated by this alert rule include the associated historical information.
Knowledge Base: The knowledge base is a repository that contains information about the conditions that resulted in the alert. It can also include information about resolution of a particular alert, which can help others resolve similar alerts in the future. Over time, you can collect a valuable knowledge base about the alert specific to a tenant or an enterprise.
For example, an employee has recently joined the organization and is supposed to have the access permissions to a secured server. But this employee might not have been added yet to the authorized users list. Therefore, an alert is generated every time the employee tries to access the server. In such a case, you can add a note in the alert knowledge base to indicate that the “employee is approved to access the server, but is not yet listed in the authorized users list. This alert can be ignored and set to low priority.”
NOTE:To view or edit the knowledge base, you must be an administrator or have the View Knowledge Base or Edit Knowledge Base permissions.
Alert Fields: Displays the alert fields that provide the following information:
who and what caused the alert.
the assets affected.
the taxonomic categories of the action that caused the alert, the outcome, and so on. For more information on taxonomy, see Sentinel Taxonomy.
Trigger Events: Displays the events that triggered the correlated event associated with the alert. You can determine the conditions that triggered the alert by examining the trigger events.
Show history: Displays the changes made to the alert, which helps you track any actions taken on the alert.
Identities: Displays the list of users involved in the alert. This information helps you to investigate the users involved in the alert and monitor their activities.
IMPORTANT:The alerts are stacked based on the event fields and their values. The alerts are not stacked by time.
The Last Modified field displays the alert management activity. If you modify the owner, priority, or state of the alert, Last Modified field is updated with the new timestamp.
To access alert views, click Real-time Views > Alert Views.