Alerts
The Alerts module is the central repository for all security events ingested into the platform. It provides a filterable, searchable view of every alert that has been collected from connected data sources, with detail views, correlation linkage, and triage capabilities.
Navigation: Monitor → Alerts
Alert List View
The alert list displays all ingested security events in reverse-chronological order. It updates dynamically as the Orchestrator pulls new data from connected sources.
Filtering and Search
| Filter | Options |
|---|---|
| Time Range | Quick presets (15m, 1h, 24h, 7d, 30d) or custom date range |
| Severity | Critical / High / Medium / Low |
| Status | New / Acknowledged / In Progress / Closed |
| Source | Filter by data source integration name |
| Free-text Search | Search across alert title, description, and raw message content |
Table Columns
| Column | Description |
|---|---|
| Alert ID | System-generated unique identifier |
| Title | Alert name / event type from the source system |
| Severity | Critical / High / Medium / Low (color-coded) |
| Source | Data source that generated the alert (e.g., Elastic Stack ELK) |
| Timestamp | Event occurrence time from the source |
| Ingested At | Time the alert was written to the internal database |
| Status | Current triage status |
| Ticket | Linked ticket number (if this alert generated or was added to a ticket) |
Alert Detail View
Click any alert row to open the detail view.
Detail Sections
| Section | Contents |
|---|---|
| Summary | Alert title, severity, source, timestamps |
| Raw Message | Full original alert payload with JSON syntax highlighting |
| Linked Ticket | Link to the associated incident ticket (if any) |
| MITRE ATT&CK | Mapped tactic and technique (if the detection rule carries ATT&CK annotations) |
| Observables | Extracted indicators: IPs, domains, file hashes, usernames |
Alert Lifecycle
Alerts follow a simple status progression:
New → Acknowledged → In Progress → Closed
| Status | Meaning |
|---|---|
| New | Alert received, not yet reviewed |
| Acknowledged | Analyst has seen the alert |
| In Progress | Under active investigation |
| Closed | Investigation complete; ticket resolved or alert dismissed |
From Alert to Ticket
Alerts can generate tickets in two ways:
Automatic (Correlation engine): The Correlation policy evaluates each incoming alert against configured rules. When conditions match (time window, field values), the engine automatically creates a ticket and links the triggering alert. See Data Onboarding → Correlation for configuration details.
Manual (from alert detail): In the alert detail view, click Create Ticket to manually open a new incident ticket pre-populated with alert metadata.
MITRE ATT&CK Mapping
When an alert is generated by a Sigma rule that carries ATT&CK annotations, the platform displays the corresponding tactic and technique on the alert detail page. This allows analysts to quickly understand the kill-chain stage of an event and prioritize investigation accordingly.
Alert Deduplication
When the Orchestrator runs, it uses the alert’s unique identifier from the source system (combined with the timestamp field) to prevent duplicate ingestion. Alerts that have already been imported are skipped on subsequent runs.
Bulk Actions
Select multiple alerts using checkboxes to:
| Action | Description |
|---|---|
| Acknowledge | Mark selected alerts as acknowledged |
| Assign | Assign to an analyst |
| Create Ticket | Open a new ticket linked to all selected alerts |
| Close | Mark selected alerts as closed |
Troubleshooting
| Issue | Check |
|---|---|
| No alerts appear after setup | Verify Orchestrator task ran successfully; check Run History for errors |
| Alerts missing from expected time range | Confirm the Timestamp field in the Orchestrator task matches your ES document schema |
| Duplicate alerts appearing | Ensure the source document’s unique ID field is consistently populated |
| Alerts not generating tickets | Check Correlation policy is enabled and conditions match incoming alert fields |