13.4. Triggered Alerts

The Triggered alerts tab shows the list of triggered alerts for analytics rules with brief details about each one. A triggered alert is a set of events grouped under an analytics rule.

The following triggered alert details are shown.

Name

Description

Node

The LogAn node name.

Time

The date and time when the analytics rule was triggered.

ID

The triggered alert ID.

First event time

The time of the first event included in the triggered alert for the analytics rule.

Last event time

The time of the last event included in the triggered alert for the analytics rule.

Events number

The number of events included in the triggered alert for the analytics rule.

Rule

The name of the triggered analytics rule.

Category

The category to which the triggered alert belongs. The following predefined categories are available:

  • Security: incidents that degrade the security of information systems.

  • Availability: incidents that degrade the availability of information systems.

  • Performance: incidents that degrade the performance of information systems.

Additional triggered alert categories can be defined in the General settings --> Libraries --> Triggered alert categories section.

Priority

The priority of the triggered alert specified in the analytics rule settings:

  • Low: low response priority.

  • Normal: needs attention and may need response.

  • Important: needs attention and response.

  • Critical: requires urgent response.

The priority indicates the severity of the triggered alert.

User

The username.

Signatures

The name of the triggered IPS signature.

Source zone

The zone from which connection is established.

IP source

The source IP address.

Source port

The source port.

Destination zone

The destination zone.

IP destination

The destination IP address.

Destination port

The destination port.

The administrator can select to display only the columns they need. To do that, point the mouse cursor to the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.

Two search modes are available, basic and advanced. The basic mode uses a GUI, while the advanced mode allows you to create more complex search filters using a specialized query language whose syntax is described in the Data Search and Filtering section.

To save the configured filter, click Save as. To view the list of saved search filters, click Favorite filters.

To view the triggered alert details (brief information about the selected triggered alert), click Show.

Clicking the Show details button will take you to the Triggered alert details tab showing details about the selected triggered alert. This tab is discussed in the next section, Triggered Alert Details.

The selected triggered analytics rule alert can be added to an incident by clicking Add to incident.

By clicking Export as CSV, the administrator can save the filtered log data in a .csv file for subsequent analysis.