You can see a high-level overview of the alerts in your organization using the Alert dashboard.
Using the Alert dashboard you can analyze and study common patterns in alerts, such as:
Types of alerts
Average time taken to close alerts
Top correlation rule generating the maximum number of alerts
Geographical origin of high-severity alerts
Oldest open alerts
Alerts that took the longest time to close
The Alert dashboard consists of the following preconfigured panels that provide information about alerts in your Change Guardian server:
Overview Displays a time series chart that shows alerts generated in Change Guardian over time. You can inspect the time series charts for any spikes, which can indicate an increase in attacks in your organization. You can drag and select the period when the spike occurred to zoom into the alerts. As you select the specific time range, Change Guardian filters the dashboard for alerts in the selected time range. Also, you can find out the geographical locations from where the alerts originated. To view geographical locations from where the alerts originated, ensure that the IpToCountry.csv file is populated by using the IP2Location Feed plug-in.
Alert Load Provides information about the alerts at a granular level such as the following:
Topmost alerts in your enterprise
Alert distribution among top alert owners
Total number of alerts in individual alert states
Number of alerts received from each tenant
Total number of alerts based on priority
Performance rows Provides statistical information about how efficiently alerts are investigated and closed based on priority, correlation rule, alert owners, and tenants.
Details Provides detailed alerts information such as the oldest open alerts, number of times the duplicate alerts were rolled up, and all alert fields.
The alert dashboard displays distinct alerts in your Change Guardian servers. Duplicate alerts are rolled up to a single distinct alert.
To view the alert dashboard:
In the web console, click ALERTS.
This opens the Threat Response Dashboard.
On the left pane click the Home icon and click Alerts.
Mouse the mouse pointer over specific areas in the charts to view more information.
Select the required areas in the chart to filter the alert data.
Click Filtering to remove the applied filters and go back to the unfiltered view.
(Optional) You can customize the default view and save the dashboard.
(Conditional) To perform various operations on alerts such as closing an alert, assigning alerts to a user, and so on, see Alerts View.
You can create custom charts and tables for analysis. You can filter and refine the data further as you select certain areas in the charts and use the query and filter options.
For example, as a Security Operations Center manager in a multi-tenant environment, you want to analyze and investigate alerts in detail and also understand how your team is handling the alerts. You can perform the following analysis in the alert dashboard:
Investigate Alerts: You can view the alerts generated over time, number of open alerts versus closed alerts, top correlation rules generating the most number of alerts, oldest open alerts, any spikes in alerts at a specific time range, and so on.
Monitor the load of the team:
Types of alerts the team has been working on
How the alert load is distributed among top owners
Time taken to close alerts of specific priorities
Distribution of alert load among the team members
Team members that took the maximum amount of time to investigate alerts
Monitor performance against tenant service-level agreement (SLA): You can view alerts from various tenants, analyze the most number of alerts from a specific tenant, time taken to investigate or close alerts for a specific tenant compared to other tenants, and so on.
The Alert dashboard provides a customizable and an easy-to-configure interface that helps you to view and investigate alerts in detail.
To create or view alerts in the dashboard, you must either be an administrator or have the permission to manage alerts. Depending on the alert permissions and the tenant you belong to, Change Guardian displays the relevant alerts in the dashboard.
For troubleshooting tips about Alert Dashboard, see Unable to View Alerts in the Alerts Dashboard and Alert Views in the Change Guardian Installation and Administration Guide.