6.1 Viewing and Triaging Alerts

Sentinel provides several ways to view alerts. The alerts you can view depend on the alert permissions applicable to your role and the tenancy of your role. For more information about permission to manage alerts, see Configuring Roles and Users in the Sentinel Administration Guide.

Sentinel provides the following ways for you to view alerts in real time and triage them:

  • Threat Response Dashboard: The Threat Response dashboard provides an overview of your current workload by breaking down alerts in groups, such as status, assignment, and priority. With the alerts grouped in this way, you can focus on and triage the high priority alerts assigned to you before triaging other alerts.

    To view alert details, click on any of the numbers or graphs.

    You can also:

    • Launch multiple pages in the browser

    • Share content with colleagues using a URL

    • Bookmark pages for quick access

    NOTE: For users in the Operator role, the Threat Response dashboard is the main user interface for viewing and triaging alerts. Any user with permission to manage alerts can also use it. Users who wish to use alert views in the Sentinel Main interface, or do not have permission to view or manage alerts on the Threat Response dashboard, can click Sentinel Main in the left side navigation.

  • Alert Views: In the Sentinel Main interface, alert views provide a graphical and tabular representation of alerts that match the specified alert criteria. Charts provide a summary of alerts and the table provides high-level information about individual alerts. Sentinel provides some alert views, but you can also create your own alert views and customize the alert criteria as necessary. For more information, see Creating an Alert View.

    To access alert views, click Real-time Views > Alert Views.

The alert table displays only distinct alerts. Duplicate alerts are rolled up to a single distinct alert. For more information about rolling up of duplicate alerts, see Configuring Alert Creation in the Sentinel Administration Guide. Alerts from Sentinel servers in a distributed location are distinguished by the Remote icon () next to the name of the alert. You can view the IP address of the remote Sentinel server by moving the mouse over the name of the alert.

As you monitor alerts, you can perform the following activities:

  • Mouse over the charts to determine the number of alerts based on alert states, priority, and severity.

  • Sort alerts based on one or more columns in the table. Press Shift+click to select multiple columns to sort. By default, the alert view table displays alerts based on the time when the alerts were triggered. Therefore, the latest alerts are listed on the top in the table.

  • Assign alerts to a user or a role, including yourself or your role.

  • Modify the alert state to indicate the progress on the alert investigation.

  • Add comments to the alert to indicate the changes you made to the alert, which helps you to keep an up-to-date record of the alert investigation. For example, you can add comments when you change the state of a specific alert or when you have gathered more information about the alert. Providing specific comments allows you to accumulate knowledge about a particular instance of the alert and track how a particular condition was addressed. Comments are important in tracking the alert, particularly if the process of resolving the alert spans several users or roles.

  • View the events that triggered the alert and drill-down for more information. You can drill down to view the user identities that triggered the event by clicking the View details icon in the alert view table.

    The Alert Details page displays detailed information about an alert including the following:

    • Source / Background Information: Displays the correlation rule that generated the alert. You can also annotate the correlation rule by adding information to the knowledge base so that future alerts generated by this correlation rule include the associated historical information.

      NOTE:In Sentinel Main, the field is Source. In the Threat Response dashboard, the field is Background Information.

    • Knowledge Base: Knowledge base is a repository that contains information about the conditions that resulted in the alert. It can also include information about resolution of a particular alert, which can help others resolve similar alerts in the future. Over time, you can collect a valuable knowledge base about the alert specific to a tenant or an enterprise.

      For example, an employee has recently joined the organization and has the access permissions to a secured server. However, this employee might not have been added yet to the authorized users list. Therefore, an alert is generated every time the employee tries to access the server. In such a case, you can add a note in the alert knowledge base to indicate that the “employee is approved to access the server, but is not yet listed in the authorized users list. This alert can be ignored and set to low priority.”

      NOTE: To view or edit the knowledge base, you must be an administrator or have the View Knowledge Base or Edit Knowledge Base permissions.

    • Alert Fields: Displays the alert fields that provide the following information:

      • who and what caused the alert

      • the assets affected

      • the taxonomic categories of the action that caused the alert, the outcome, and so on. For more information on taxonomy, see Sentinel Taxonomy.

      For more information about alert fields, click Tips on the top-right corner of the Sentinel Main interface.

    • Trigger Events: Displays the events that triggered the alert. You can investigate the conditions that triggered the alert by examining the trigger events. By default, the Alert Details page displays 10000 trigger events per alert. You can also define this number as necessary. For more information, see Configuring the Number of Trigger Events to be Displayed in the Alert View in the Sentinel Administration Guide.

      NOTE:Although the alert may include trigger events older than the configured data retention period, only events within the data retention period are displayed.

    • Show history: Displays the changes made to the alert, which helps you track any actions taken on the alert.

    • Identities: (Sentinel Main only) Displays the list of users involved in the alert. This information helps you to investigate about the users involved in the alert and monitor their activities.

    • The Incident probability displays the probability of an alert being escalated to an incident. This value is based on alerts that were escalated 3 hours ago and within the retention period. This value is refreshed every 3 hours, which is configurable. To configure the refresh interval, see Customizing Incident Probability Refresh Interval in the Sentinel Administration Guide.

      Since the Incident probability value is generated every 3 hours by default, this value does not reflect any alerts that were escalated within the last 3 hours. For example, this value does not consider the alerts escalated 1 hour ago. If you want to view the updated incident probability immediately rather than waiting for 3 hours, you can run the incident_recommendation REST API. For more information, see the REST API documentation. To view the REST API documentation in Sentinel, click Sentinel Main > Help > APIs.