Alerts

The Alerts module is the central repository for all security events ingested into the platform. It provides a filterable, searchable view of every alert that has been collected from connected data sources, with detail views, correlation linkage, and triage capabilities.

Navigation: Monitor → Alerts

Alert List View

The alert list displays all ingested security events in reverse-chronological order. It updates dynamically as the Orchestrator pulls new data from connected sources.

Filter Options
Time Range Quick presets (15m, 1h, 24h, 7d, 30d) or custom date range
Severity Critical / High / Medium / Low
Status New / Acknowledged / In Progress / Closed
Source Filter by data source integration name
Free-text Search Search across alert title, description, and raw message content

Table Columns

Column Description
Alert ID System-generated unique identifier
Title Alert name / event type from the source system
Severity Critical / High / Medium / Low (color-coded)
Source Data source that generated the alert (e.g., Elastic Stack ELK)
Timestamp Event occurrence time from the source
Ingested At Time the alert was written to the internal database
Status Current triage status
Ticket Linked ticket number (if this alert generated or was added to a ticket)

Alert Detail View

Click any alert row to open the detail view.

Detail Sections

Section Contents
Summary Alert title, severity, source, timestamps
Raw Message Full original alert payload with JSON syntax highlighting
Linked Ticket Link to the associated incident ticket (if any)
MITRE ATT&CK Mapped tactic and technique (if the detection rule carries ATT&CK annotations)
Observables Extracted indicators: IPs, domains, file hashes, usernames

Alert Lifecycle

Alerts follow a simple status progression:

New → Acknowledged → In Progress → Closed
Status Meaning
New Alert received, not yet reviewed
Acknowledged Analyst has seen the alert
In Progress Under active investigation
Closed Investigation complete; ticket resolved or alert dismissed

From Alert to Ticket

Alerts can generate tickets in two ways:

Automatic (Correlation engine): The Correlation policy evaluates each incoming alert against configured rules. When conditions match (time window, field values), the engine automatically creates a ticket and links the triggering alert. See Data Onboarding → Correlation for configuration details.

Manual (from alert detail): In the alert detail view, click Create Ticket to manually open a new incident ticket pre-populated with alert metadata.

MITRE ATT&CK Mapping

When an alert is generated by a Sigma rule that carries ATT&CK annotations, the platform displays the corresponding tactic and technique on the alert detail page. This allows analysts to quickly understand the kill-chain stage of an event and prioritize investigation accordingly.

Alert Deduplication

When the Orchestrator runs, it uses the alert’s unique identifier from the source system (combined with the timestamp field) to prevent duplicate ingestion. Alerts that have already been imported are skipped on subsequent runs.

Bulk Actions

Select multiple alerts using checkboxes to:

Action Description
Acknowledge Mark selected alerts as acknowledged
Assign Assign to an analyst
Create Ticket Open a new ticket linked to all selected alerts
Close Mark selected alerts as closed

Troubleshooting

Issue Check
No alerts appear after setup Verify Orchestrator task ran successfully; check Run History for errors
Alerts missing from expected time range Confirm the Timestamp field in the Orchestrator task matches your ES document schema
Duplicate alerts appearing Ensure the source document’s unique ID field is consistently populated
Alerts not generating tickets Check Correlation policy is enabled and conditions match incoming alert fields