Manage Alerts

Alerts are the main output of the Threat Command module. Managing alerts is the process of reviewing and remediating identified threats.

Threat Command sends alerts that are relevant to your company, based on the defined company assets. To define assets, see Configuring Assets.

Alert information is based on information that is scoured on all web sources: clear, deep, and dark web. Every alert is clearly marked to give you maximum control of the alert management process.

You manage alerts from the Threat Command > Alerts page.

The Alerts page displays the Alerts list, and the Alert header, Description, Banner and Options pane.

temporary placeholder

Alerts page

The Alerts list displays all alerts, with the last-updated, open or in-progress alerts listed first (by default). Every alert is labeled by severity and threat type, so you can quickly identify important alerts before digging further. temporary placeholderAlerts list example

There is a special alert, the summary alert, that can also be displayed in the Alerts list. The summary alert informs you that a recent enhancement in the Threat Command detection algorithms has caused the creation of many new alerts.

In order not to flood your system, these new alerts are given a different status, pending. For more information on the summary alert and how to best manage the alerts that it describes, see Managing the summary alert.

In addition to red, yellow, or blue severity colors and alert type, the Alerts list shows the following:

  • Read or not read - The title text of non-read alerts is bold on a white background; read alerts are not bold, on a grey background.
  • Analyst or remediation updates - If present, are indicated in these ways:
    • In the Alerts list, an envelope icon is displayed on the alert.
    • In the Alert options pane, a circle is displayed, like temporary placeholder.
  • Alert status - If the alert is In Progress or Closed, that status is shown.

At the top of the Alerts list, you can use these tools:
temporary placeholder

  • Severity filter - Click one or more severities to view only alerts of those severities.
    The selected severities are marked with a color band under them.
  • Bulk action toolbar - Perform various actions on selected alerts, as described in the Alert actions table.
  • Sort order  
    Click to reverse the sort order (Last updated, descending is default).

Alert types

Alert type classifications are shown in the following table:

IconAlert typeDescription
temporary placeholderAttack IndicationDetection of intentions of cyberattacks on websites, forums, and social media (for example, use of the company name in target lists, credit cards for sale, or a bid for attacking the company in hacker forums).
temporary placeholderPhishingDetection of potential phishing domains soon after they are registered gives you time to prepare for and prevent attacks.
temporary placeholderExploitable DataDetection of information that has been indexed by search engines and can be exploited by hackers (for example, web vulnerability information related to internal confidential networks or databases and software used).
temporary placeholderData LeakageDetection of when user confidential data has been leaked to the web (for example, employee account credentials, secret documents concerning company projects, or information about the company's internal network).
temporary placeholderBrand SecurityDetection of fake social media profiles and pages or fake mobile applications.
temporary placeholderVIPDetection of intentions to attack VIPs and fake VIP profiles on social media and other websites.

Alert actions

All actions that you can perform on an alert are listed in the following table, in order of their appearance in theAlerts page. Actions marked with an * can be performed on multiple alerts, as described in Perform actions on multiple alerts.

Alert actions table

To do thisUse this featureClick thisDescription
Select all alertsPerform actions on multiple alertstemporary placeholderSelect (or deselect) all alerts in one click.
Change the severity of alerts*Change alert severitytemporary placeholderChange the severity assigned to alerts. You can change the severity of a single alert by selecting the new severity in theAlert header.
Change alert status*Change alert statustemporary placeholderChange the status of alerts to Open, In Progress, or Closed.
Assign alerts*Assign alertstemporary placeholderAssign (or unassign) alerts to an analyst.
You can assign (or unassign) a single alert from temporary placeholder in the Alert header.
Add watchers*Add a watchertemporary placeholderAdd a watcher to alerts.

You can add a watcher to a single alert from temporary placeholder in the Alert header.
Flag alerts*Flag alertstemporary placeholder 
Flag alerts to draw attention to them.

You can flag a single alert from temporary placeholder in the Alert header.
Mark alerts unread or read*Mark alerts as read or unreadtemporary placeholder 
Change whether alerts are unread or read.
Get input about alerts from others*Share alertstemporary placeholder 
Share alerts with someone outside of the Rapid7 system.

You can share a single alert from temporary placeholder in the Alert header.
Tag alerts*Add or edit alert tagstemporary placeholder 
Add a user-defined tag to alerts. You can tag a single alert fromtemporary placeholder in the Alert header.
Exclude domainsExclude irrelevant domainstemporary placeholderRemove certain domains from triggering phishing domain alerts.
View alert detailsView alert detailstemporary placeholderSee expanded alert details.
View alert historyView alert historytemporary placeholderSee the alert timeline.
Ask an intelligence analyst for input on an alertAsk an analysttemporary placeholderAsk for clarification, context, or a recommendation from an intelligence analyst.
Remediate an alertRemediate an alertClick Remediate in the alert banner or footer, or clicktemporary placeholderRequest that Rapid7 intervene to remediate an alert. Only displayed for alerts that can be remediated.
Add an IOC to the Remediation BlocklistAdd an IOC to blocklist remediationtemporary placeholderAdd an alert URL or domain to an internal Remediation Blocklist, to be fed to security devices. Only displayed foralerts that can be remediated.
Add notes to an alert*Add notes to an alerttemporary placeholderAttach an internal note to alerts.
Add a document to an alert*Add document to an alerttemporary placeholderUpload a document to alerts.
View alert IDSee alert IDtemporary placeholderSee the unique alert ID.
Visit the source siteVisit an alert source siteSource URL linkSee the actual site where the malicious code was found. Certain Attack Indication alerts include an arrow that indicates whether the sale site is currently reachable, for example: temporary placeholder
Note: These sites are potentially malicious. Use this feature with extreme caution.
Preview the source sitePreview an alert source siteSource URL linkView a PDF of the malicious site, without visiting the site.
Download alertsExport alerts to a CSVtemporary placeholderDownload a CSV with selected alert information.