Exabeam Cloud PlatformAlert Triage

Table of Contents

Investigate Alerts

Understand the contextual information available in a channel and alert to determine which alerts are worth looking at, assess an alert's potential impact, and decide your next steps.

Although Alert Triage has already automated much of your workflow, there may still be hundreds of alerts in a channel. Use the contextual information provided with each alert to correlate alerts and build a complete picture of your organization's threat landscape. Once you understand this context, you can make informed decisions about what to investigate and how to respond.

1. Identify where to start investigating

To get an overview of what's happening in a channel and identify where to start, review the list of all alerts in a channel. Alerts are sorted based on when they were created, from latest to oldest.

From the contextual information provided at a glance, learn about:

  • When the alert was created

  • The source that created the alert

  • How severe the alert is, according to the alert source: low, medium, high, or critical

  • The alert name

  • Associated users and their risk score during the session when the alert occurred. If the session is ongoing, the risk score updates concurrently.

  • Associated assets, whether it's a source or destination, and its risk score during the session when the alert occurred. If the session is ongoing, the risk score updates concurrently.

  • Alert status:

    • New – By default, an alert has a New status. Once you change an alert to another status, you can't revert the status to New.

    • In Progress – Someone was assigned to investigate the alert and assess its impact. The alert is unassigned by default. If you ever reassign the alert to Unassigned, the alert status won't change.

    • Escalated – The alert is a potential true positive you want to report. This creates an incident in Case Manager.

    • Dismissed – The alert is a false positive.

    • Resolved – You resolved the alert without escalating it.

  • Who has been assigned to investigate the alert

If an alert looks like it may be worth investigating further, click the alert to view more details.

2. Assess an alert's potential impact

To better understand if an alert may be a true positive, view further details about the alert to further investigate it and assess its potential business impact.

  1. From the list, select an alert.

  2. To view the raw log, select the View logs. View details about time, date, alert type, severity, source IP, source host, or user.

  3. Under USER/DEVICE, view the users and devices associated with the alert and whether they triggered other alerts in the past week. To learn more about the user or device, click on its name and view more details in Advanced Analytics. To understand the alert in the context of other anomalies, click Go to Timeline.

  4. To understand what happened before this alert was triggered, under NEARBY ANOMALIES, view the five anomalies with the highest risk scores that occurred previously. To view all previous anomalies in the session, click Show all.

3. Respond to the alert

After assessing this contextual information about the alert and associated users or devices, resolve, dismiss, or escalate it.