The alerts you can view depend on the alert permissions applicable to your role and the tenancy of your role. For more information about permission to manage alerts, see Configuring Users and Roles
in the Change Guardian Installation and Administration Guide.
Alert views provide a graphical and tabular representation of alerts that match the specified alert criteria. Charts provide a summary of alerts and the table provides high-level information about individual alerts. Change Guardian provides some alert views, but you can also create alert views and customize the alert criteria as necessary.
To open alert views:
In the web console, click ALERTS.
This opens the Threat Response Dashboard.
In the left pane, click Real Time Views.
Click Alert Views and select the desired view.
As you monitor alerts, you can perform the following activities:
Move the mouse pointer over the charts to determine the number of alerts based on alert states, priority, and severity.
Sort alerts based on one or more columns in the table. Press Shift+click to select multiple columns to sort. By default, the alert view table displays alerts based on the time when the alerts were triggered. Therefore, the latest alerts are listed on the top of the table.
Assign alerts to a user or a role, including yourself or your role.
Modify the alert state to indicate the progress on the alert investigation.
Add comments to the alert to indicate the changes you made to the alert, which helps you to keep an up-to-date record of the alert investigation.
For example, you can add comments when you change the state of a specific alert or when you have gathered more information about the alert. By providing specific comments, you can accumulate knowledge about a particular instance of the alert and track how a particular condition was addressed. Comments are important in tracking the alert, particularly if the process of resolving the alert spans several users or roles.
View events that triggered the alert and drill down further to the extent of viewing the user identities that triggered the event by clicking the View details icon in the alert view table.
View the IP address of the remote Change Guardian server by moving the mouse pointer over the name of the alert.
Modify the owner, priority, or state of the alert. The Last Modified field displays the alert management activities.
IMPORTANT:The alerts are stacked based on the event fields and their values. The alerts are not stacked by time.
The Alert Details page displays detailed information about an alert including the following:
Source: Displays the alert rule that generated the alert. You can also annotate the alert rule by adding information to the knowledge base so that future alerts generated by this alert rule include the associated historical information.
Knowledge Base: The knowledge base is a repository that contains information about the conditions that resulted in the alert. It can also include information about the resolution of a particular alert, which can help others resolve similar alerts in the future. Over time, you can collect a valuable knowledge base about the alert specific to a tenant or an enterprise.
For example, an employee has recently joined the organization and is supposed to have the access permissions to a secured server. But this employee might not have been added yet to the authorized users list. Therefore, an alert is generated every time the employee tries to access the server. In such a case, you can add a note in the alert knowledge base to indicate that the employee is approved to access the server, but is not yet listed in the authorized users list. This alert can be ignored and set to low priority.
NOTE:To view or edit the knowledge base, you must be an administrator or have the View Knowledge Base or Edit Knowledge Base permissions.
Alert Fields: Displays the alert fields that provide the following information:
who and what caused the alert.
the assets affected.
the taxonomic categories of the action that caused the alert, the outcome, and so on. For more information on taxonomy, see Sentinel Taxonomy.
Trigger Events: Displays the events that triggered the correlated event associated with the alert. You can determine the conditions that triggered the event that generated the alert by examining the trigger events.
Show history: Displays the changes made to the alert, which helps you track any actions taken on the alert.
Identities: Displays the list of users involved in the alert. This information helps you to investigate the users involved in the alert and monitor their activities.