Exabeam Cloud PlatformAlert Triage

Table of Contents

Alert Triage Channels

Organize a shared workload and get assigned to investigate certain alerts with Alert Triage channels.

An Alert Triage channel is a subset of alerts that analysts are assigned to investigate. If you have administrator or manager permissions, you curate the alerts in a channel based on certain criteria: source, severity, alert type, and alert name.

All channels you're assigned to appear on the All Channels ecp-alerttriage-allchannels.png tab. When you select a channel, it appears in another tab. On the tab, a number indicates how many new alerts have appeared in the channel since you last opened it. Select any alert in the channel to investigate, dismiss, or escalate it.

If you're an administrator or manager, you can create, edit, and delete a channel.

Create a Channel

Create and assign analysts to a channel so they can start triaging a specific subset of alerts. You can create a channel only if you have administrator or manager permissions.

  1. On the All Channels ecp-alerttriage-allchannels.png tab, click + Create a Channel.

  2. To determine which alerts appear in the channel, filter the alerts by source, severity type, alert type, and alert name. The source you select narrows the possible values for the other criteria. These values have appeared at least once before in an existing alert.

    For an alert to appear in the channel, it must match all the criteria for a filter.

    1. After show alerts where source is, click the empty space, then select a vendor source. To search for a specific vendor source, start typing. You see the vendor sources for all your alerts, including Exabeam Data Lake you have it.

    2. (Optional) After severity is, click the empty space, then select a severity type from the list. To select all severity types in the list, select Select All.

      If you leave this blank, an alert appears in the channel if it has any severity type, including new severity types Alert Triage hasn't seen before.

    3. (Optional) After alert type is, click the empty space, then select an alert type from the list. To select all alert types in the list, select Select All.

      If you leave this blank, an alert appears in the channel if it has any alert type, including new alert types Alert Triage hasn't seen before.

    4. (Optional) After alert name is, click the empty space, then select an alert name from the list. To select all alert names in the list, select Select All.

      If you leave this blank, an alert appears in the channel if it has any alert name, including new alert names Alert Triage hasn't seen before.

  3. To add another filter, click the add ecp-alerttriage-addcriteriabutton.png button. For an alert to appear in the channel, it must match all the criteria in at least one filter.

  4. Under Preview, preview the alerts that match the filters you specified.

  5. Click Save Filters.

  6. Enter basic information about the channel:

    • Channel Name – Enter a name for the channel.

    • Channel Assignment – To assign people to investigate alerts in the channel, click the box, then select the people who can view the channel. To select all the people in the list, select Select All. Since you created the channel, you automatically have access.

    • (Optional) Description – Describe the channel.

  7. Click Create.

Edit a Channel

Edit the filters that determine which alerts are curated in the channel, reassign people to the channel, or rename the channel. You can only edit channels you created.

  1. Navigate to the All Channels ecp-alerttriage-allchannels.png tab.

  2. Hover over a channel, then select edit ecp-alerttriage-editchannel.png.

  3. Change the channel's filter criteria, name, access permissions, or description.

  4. Click Save.

Delete a Channel

You can only delete channels you created.

  1. Navigate to the All Channels ecp-alerttriage-allchannels.png tab.

  2. Hover over a channel, then click the trash ecp-alerttriage-deletechannel.png.

  3. Click Delete. The channel is deleted for all users. If any users are currently viewing the channel, you may disrupt their workflow. Alert statuses remain the same.