In this article, all elements of the Alert Management dashboard are outlined to help you understand the alerts displayed.
You are able to filter the dashboard in various ways which are outlined below:
Figure 1: Filter options
- Ability to select a time-period using pre-determined time-spans of:
- 24 hours
- 72 hours
- 7 days
- 30 days
- Custom: You can freely select an custom time-span.
- Ability to select a time-period using pre-determined time-spans of:
Live Mode Toggle
- Enabled: Continuously surface triggered alerts to you as they are raised by the Samurai XDR platform, or ingested by third-party telemetry sources.
- Disabled: Pausing the flow of alerts into the Alert Management dashboard. Typically used during noisier attacks, or in noisier environments where the pace of triggering alerts prohibit you from triage. Re-enabling Live-mode refreshes the page and loads all alerts that have triggered since the disable took effect.
All alerts are listed within the alert widget:
- Primary overview of all alerts, where you can filter and sort alerts.
Figure 2: Alert widget
- When you select an alert from the alert widget, the alert is expanded and further details are displayed. See Alert Detail later in this article for more detailed information.
Figure 3: Alert detail widget
What are the Alert fields?
All alerts are displayed in the alerts widget, if an alert is selected, the alert is expanded to display further detail. Alert specific fields within the alerts Widget include:
Figure 4: Alert fields
Timestamp: The timestamp is the based on when the alert was generated and is represented in Universal Time Coordinated (UTC).
Based on the Type (see below for further information on this field) field as follows:
- AI-Engine: triggered alerts set Severity dynamically based on the actual alert triggered. Direction of the activity, if it was blocked or accepted activity and historical data among others are all input when determining the seriousness of the attack.
- Vendor: triggered alerts rely on the Severity determined by the third-party provider. Most commonly this is done on a signature basis and doesn’t consider the alert or the triggering activity.
Severity is depicted on an indicator bar and defined as:
Critical: Severe impact that threatens to have a significant adverse impact on the affected systems. These issues have a high probability of spreading or propagating, pose a threat to confidential or otherwise sensitive data or systems. Critical alerts require immediate attention for remediation or mitigation.
High: alerts, where if exploited, these threats could lead to compromise of the system and/or loss of information. Should be investigated in a timely fashion.
Medium: Minor alerts with low risk of spreading or propagation. Should be tracked and followed-up but generally medium threat severity require no immediate action.
Low: Observed security related event that could be an indicator of threat or interesting from other perspectives but no direct security threat.
Unknown: situation where detected technology has no associated alert with specific severity
Confidence: indicates the likelihood of alert detection being accurate.
As Samurai XDR gains historical data, triggering behavior of signatures, a Confidence is either established, or deteriorated over time. Signatures triggering alerts that commonly result in an Investigation are deemed accurate and have its Confidence score increased over time. The opposite occurs for Signatures which trigger alerts that rarely result in Security Incidents.
Confidence defaults to an Unknown state until Samurai XDR has access to sufficient historical data to establish a baseline, as such, one should be careful when filtering on an unknown state as emerging Signatures would have no historical data.
Confidence levels are depicted on an indicator bar and presented as:
Alert Name: assigned name from the detecting technology, this could be from an integrated telemetry source or from the Samurai XDR detection engine.
Source: initiating source, this could be represented by hostname(s), IP address, user, URL. For a single alert this could, in some cases be represented with multiple values with a counter and expandable to display the full array of sources.
Destination: destination, this could be represented by hostname(s), IP address, user, URL. For a single alert this could in some cases be represented with multiple values with a counter and expandable to display the full array of destinations.
Type: displays the Samurai XDR means of detection. Dependent on the source of the alert the following may be displayed:
AI (Artificial Intelligence): The Samurai XDR real-time threat detection engine which uses a continuously updated combination of detection techniques to detect the latest most evasive threats and previously known threats. This includes but not limited to:
- Artificial Intelligence
- Threat Intelligence
- Scheduled: A rule-based alerting engine which queries data retained in Samurai XDR for matching results at regular intervals. Loaded with detection rules created by Samurai MDR Security Operations Center (SOC) analysts and qualified rules imported from external parties (see Author in alerts triggered).
- Vendor: Displays third-party technologies when alerts are sourced using Integrations configured with Extended Telemetry Collection (e.g. Endpoint Detection & Response (EDR), Sandbox, IDS/IPS among others).
Third-party technologies have various degrees of accuracy and noisiness, consider tuning these for best user-experience.
When an alert is selected via the alert widget, or alerts are assigned to an Investigation, the alert details panel opens. This view gives you all the detail available in relation to the alert which enables initial triage and more in-depth validation. Additional alert detail may include:
Description: Short descriptive text of signature/detection method used to trigger the alert that helps you understand the purpose of the alert.
Origin: Details the origin telemetry source where suspicious activity was registered. For example, if a firewall telemetry source is ingested and Samurai XDR identifies suspicious activity based on this telemetry then the firewall would be set as Origin. This assists you in identifying the attacker that either triggered the alert, or the victim asset targeted.
Total Score: The total of all scores assigned to this alert via Boost Scoring (select the link to learn more!)
Alert Timeline: The timeline provides a interactable graphical overview of past notable activity (Enrichment) and alerts (Suspicious, Threat) triggered deemed of relation to the Boost Alert triggered.
All are assigned a weighed Boost scoring which in turn resulted in Boost Alerts triggering upon reaching a certain point. This allows you to contextualize alerts with past occurrences and activity. The timeline will typically show alerts contributing to:
Enrichment: activity is considered enrichment information which does not result in individual alerts by itself.
Suspicious: activity often result in individual alerts being raised prior to the correlated Boost Alert triggering.
Threat: Activity is deemed a threat and typically trigger a unique alert prior to the correlated Boost Alert triggering.
Boost Alert Logic:
Figure 5: Boost logic
Default view shows fields of importance in relation to the alert currently viewed. This typically details the activities that resulted in the alert triggering.
Figure 6: Alert details
You are able to expand this default view by clicking the expand arrow to the right.
This reveals all fields in relation to the row currently viewed, providing additional contextual data that can be of assistance in locating the initial Event(s) for the activity being analyzed.