7.2 Creating an Alert View

To view and analyze alerts in the Sentinel Main interface, you must first create the alert view. To create the alert view, you must either be an administrator or have the Create and use Alert Views permission. For more information, see Configuring Roles and Users in the Sentinel Administration Guide.

To create an alert view:

  1. Do one of the following:

    • Click Real Time Views > Create button for Alert Views.

    • From Sentinel Main, click Real-time Views > Alert Views > the Create icon.

  2. Specify the following information:

    • Name: Specify a name for the alert view.

    • Sharing: Select either of the following options:

      • Public: Allow everyone to view the alert view. In the public mode, you are the owner of the alert view and other users cannot edit it.

      • Private: Only you will be able to view the alert view.

    • Data sources: Add other data sources from which you want to view alerts. For information about data sources, see Configuring Data Federation in the Sentinel Administration Guide.

    • Criteria: Specify the criteria to filter the alerts.

    • Tenant: If you are in a multi-tenant environment, select the department or the tenant name for which you want to view alerts.

      NOTE:This option is displayed only if you are an administrator in a multi-tenant environment. For information about multitenancy, see Configuring Sentinel for Multitenancy in the Sentinel Administration Guide.

    • Time range: Specify the time range for which you want to view alerts.

    • Use alert period: Select Created or Modified to view the alerts that were created or modified in the specified time range.

  3. Click Save to save the alert view.

    The alert view is created with default alert fields.