Skip to main content

Alert Triage Lifetime

  • Start Triage: By selecting this option, you can take ownership of an alert, indicating that you are actively investigating it. This action changes the alert's status to "Triaged," signalling to other team members that the alert is being handled.

  • Hunt: This feature allows for a more in-depth investigation into the alert. You can use it to look for related events or patterns that might give more context to the alert, helping to identify broader issues or campaigns.

  • Process Tree: For alerts related to processes, this tool helps you visualize the sequence and hierarchy of process executions. It's valuable for understanding the chain of events that led to the alert and determining the scope of the incident.

  • Interaction:This set of actions includes adding the source of the alert to a whitelist (if it's a false positive), escalating the alert for further attention, or notifying relevant stakeholders about the issue.

  • Update:You can modify the alert status through this function, which may include marking it as resolved, pending further action, or needing review.

  • SecOps Chat:This communication tool allows you to send the details of an alert to your Security Operations Centre (SOC) team for collaboration and coordination of response efforts.