Take Action on an Alert

The Alerts experience is currently available to Managed Detection and Response (MDR) customers only.

As you're monitoring the activity in your security environment, you can take action on alerts that require additional investigation or management.

You might choose to investigate an alert that indicates suspicious behavior, or add an alert to an existing investigation where the alert’s context is helpful. You can also keep track of the alerts in your environment by verifying that their status, disposition, priority, and assignee are up to date.

Investigate an alert

When an alert represents unusual activity in your environment, you might decide that the alert requires further investigation. You can create a new investigation from an alert or add alerts to an existing investigation to start responding to the potential threat.

An alert can belong to only one investigation at a time.

Create an investigation from an alert

If one or more alerts require further analysis, you can create a new investigation with the alerts, which allows you to start researching the potential threat.

To create an investigation from an alert:

  1. From the left menu, go to Alerts.
  2. On the Alert Table tab, select the checkbox next to one or more alerts that you want to include in the new investigation. You can search to locate the alerts to select.
  3. Above the table, click the Create Investigation button.
  4. In the Investigation Name field, enter a descriptive investigation title, which is used to identify the investigation later.
  5. Specify how to determine the investigation Priority:
    • If you want the investigation to always have the same priority as the oldest, high-priority alert that it contains, toggle automatic inheritance to ON.
    • If you want to select a specific investigation priority, toggle automatic inheritance to OFF, and then select a priority level of Critical, High, Medium, or Low.
  6. In the Assignee field, select the user that will be responsible for the investigation and its alerts.
  7. From the Disposition dropdown, select an option to indicate whether the investigation and its alerts represent a legitimate threat. Learn more about the available dispositions by reading Disposition types.
  8. From the Status dropdown, select an option to indicate where the investigation and its alerts are in the triage process. Learn more about the available statuses by reading Update the investigation status.
  9. Optionally, enter a Reason for creating the investigation, which is added to the audit log for tracking purposes.
  10. In the table, review the alerts to include in the investigation, and remove any alerts that you want to exclude.
  11. Click the Create Investigation button. InsightIDR starts creating the investigation, and its progress is added to the list of Alert Jobs. The alerts included in the investigation are updated with the same Assignee, Disposition, and Status as you selected for the investigation. You receive another notification when the investigation is created successfully.
  12. Optionally, add additional alerts to the newly created investigation.
  13. Optionally, click the Go to Investigation icon in the Alert Table to view the newly created investigation.

Add an alert to an existing investigation

When investigating an ongoing issue, you can add one or more alerts to the investigation to provide helpful context.

To add an alert to an existing investigation:

  1. From the left menu, go to Alerts.
  2. On the Alert Table tab, select the checkbox next to one or more alerts that you want to add to the investigation. You can search to locate the alerts to select.
  3. Above the table, click the Add to Investigation button.
  4. Optionally, enter a Reason for adding the alerts to the investigation, which is added to the audit log for tracking purposes.
  5. Select the investigation to add the alerts to. You can use the filters on the right to locate the investigation to select.
  6. Optionally, click the View button to open the investigation in a new tab and confirm the investigation details.
  7. Click the Add Alert to Investigation button. InsightIDR starts adding the alerts to the investigation, and its progress is added to the list of Alert Jobs. The alerts included in the investigation are updated with the same Assignee, Disposition, and Status as the investigation. You receive another notification when the alerts are added to the investigation successfully.
  8. Optionally, click the Go to Investigation icon in the Alert Table to view the investigation that you added the alerts to.

Close an alert

You can close an alert to indicate that the alert does not require further action. For example, you might close an alert because it was generated as a false positive, and doesn't represent a threat to your environment. Closing an alert updates the alert status to Closed and the alert disposition to the option that you specify.

You can close an alert only if it doesn't belong to an investigation.

To close an alert:

  1. From the left menu, go to Alerts.
  2. On the Alert Table or Data Stacking tabs, select the checkbox next to one or more alerts that you want to close. You can search to locate the alerts to select.
  3. Above the table, click the Close Alert button.
  4. Select a new Disposition for the alert:
    • Benign - The alert was caused by expected behavior that doesn’t represent a threat to your environment.
    • Malicious - The alert was caused by malicious activity intended to harm your environment.
    • Unknown - There is not enough information to determine whether the alert was caused by malicious activity.
    • Not Applicable - The cause of the alert is known and does not need further research (for example, the alert was caused by a compliance warning).
  5. Optionally, enter a Reason for the update, which is added to the alerts audit log for tracking purposes.
  6. Click the Save Change button. InsightIDR starts updating the alert status and disposition, and its progress is added to the list of Alert Jobs. You receive another notification when the alerts are updated successfully.
  7. Optionally, if you closed the alert as Benign, consider creating an exception to prevent detection rules from alerting on these events in the future.

Edit alert information

You can edit information about alerts, including their status, disposition, priority, and assignee. Updating this information allows you to keep track of the current state of the alerts in your environment and makes it easier to search for the alerts you’re looking for.

You can edit an alert only if it doesn't belong to an investigation.

To edit alerts:

  1. From the left menu, go to Alerts.
  2. On the Alert Table or Data Stacking tabs, select the checkbox next to one or more alerts that you want to edit. You can search to locate the alerts to select.
  3. Above the table, click the Edit Alerts button.
  4. Optionally, select a Priority, which indicates the urgency of the alerts.
  5. Optionally, select an Assignee, which indicates the individual responsible for taking action on the alert.
  6. Optionally, select a Disposition, which captures the conclusion that your organization drew from the triage process or indicates that the triage process is still in progress:
    • Benign - The alert was caused by expected behavior that doesn’t represent a threat to your environment.
    • Malicious - The alert was caused by malicious activity intended to harm your environment.
    • Unknown - There is not enough information to determine whether the alert was caused by malicious activity.
    • Not Applicable - The cause of the alert is known and does not need further research (for example, the alert was caused by a compliance warning).
  7. Optionally, select a Status, which indicates where the alerts are in the triage process:
    • Closed - Triage on the alerts has ended. You must also select a Disposition to update an alert to Closed.
    • Waiting - Progress on the alert triage has paused while more information is gathered.
    • Investigating - The alert is being triaged as part of an investigation.
    • Open - The alert is new, and triage has not started on it yet.
  8. Review the Changes to make to the alerts.
  9. Optionally, enter a Reason for the update, which is added to the alerts audit log for tracking purposes.
  10. Click the Save Changes button. InsightIDR starts updating the alerts, and its progress is added to the list of Alert Jobs. You receive another notification when the alerts are updated successfully.

Monitor alert jobs

As you take action on alerts, those actions are processed asynchronously as alert jobs. You can check the status of an alert job to ensure that the action you took on an alert has been completed successfully.

To view alert jobs:

  1. From the left menu, go to Alerts.
  2. Click Alert Jobs in the upper right.
  3. On the left, apply filters to locate the alert jobs you want to view:
    • Start Date - The date and time that the alert job started.
    • Status - The status of the alert job:
      • Pending - The alert job has been initiated, but hasn’t started running yet.
      • Running - The alert job is in progress.
      • Failed - The alert job could not be completed successfully.
      • Completed with Issues - The alert job completed successfully, but encountered errors.
      • Completed - The alert job was completed successfully.
  4. On the right, expand each alert job to view its details.