- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Threat Center Alerts
An alert represents a potential threat to which you might respond.
An alert is a group of related detections, which indicate a potential threat. You triage high-priority alerts or other alerts of interest to validate their risk and determine if you need to respond.
View alerts under the Alerts tab. By default, you see alerts created in the last 24 hours without an associated case sorted by risk score, from highest to lowest, then age, from newest to oldest. To view other alerts of interest, search for them. To view and update information about a specific alert, select the alert:
1 View the alert name.
2 Ask a security-trained AI assistant questions about the alert.
3 Navigate to the timeline view in Search to view all events associated with the attribute by which detections are grouped.
4 Update alert attributes, including alert name, description, priority, associated MITRE ATT&CK® tactics and techniques, associated Exabeam use cases, and tags.[2]
5 Create a case directly from the alert.
6 Send alert information to email addresses; or send alert information to webhooks.
7 Under the Overview tab, view an overview of core alert information, including:
Copilot Threat Summary – An AI-generated summary of the alert and recommended next steps. This summary is updated every time detections are added to the alert.
Risk Score – The case risk score and associated priority.
User Description – The alert description.
Grouped By – The attribute by which detections are grouped.
Timeframe – Important markers of time associated with the alert, including:
First Detection – The date and time the first detection was added to the alert.
Duration – The days, hours, and minutes elapsed between when the first and last detection was added to the alert.
Users – Users associated with related detections.
Devices – The source and destination hosts associated with related detections.
Rules Triggered – The triggered rules from which associated detections are created and the number of times they created associated detections.
MITRE TTPs – The ATT&CK tactics and techniques that best describe the case.
Use Cases – The Exabeam use cases that best describe the case.
8 In the Threat Timeline tab, view a timeline of related detections and key response moments, like when the alert was created.
9 View a history of all changes made to the alert.
If you select an alert with an associated case, you're automatically redirected to the case.
[2] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.