24.2 Overview

Configure correlation rules to create alerts when a correlation rule fires.

Correlation rules create alerts. Alerts contain almost the same information as the correlated event and also includes some additional information specific to alerts, such as owner, state, and priority.

As subsequent instances of the same alert are detected, Sentinel associates the trigger events to the existing alert to avoid duplication of alerts.

For more information, see Configuring Alert Creation.

View and monitor alerts displayed in charts and the table. As you monitor alerts, you can assign alerts to different users and roles, track the alert from origination to resolution, annotate the correlation rule by adding information to the knowledge base, and so on. For more information, see Visualizing and Analyzing Alerts.

If the potential threat that caused the alert is critical such that it needs immediate action or the threat indicates any security compromise, escalate the threat by creating an incident. For more information, see Escalating Alerts to an Incident in the Sentinel User Guide.

Configure alert retention policies to set the duration to automatically close and delete the alerts from Sentinel. For more information, see Configuring Alert Retention Policies.