Manage the Summary Alert

The summary alert is presented in the Alerts list to notify you that enhanced detection algorithms have created multiple new alerts. This can happen when Rapid7 adds:

  • new alert types
  • new detection use cases
  • new intelligence sources or changes in intelligence sources

To prevent these new alerts from “flooding” your Threat Command system, Rapid7 provides you with special tools to manage them.

Each of the new alerts is created with the pending status. This way, the new “flood” alerts will stand apart from other alerts. Using this pending status, you can conveniently manage the new alerts, determining which should be closed or which should be opened for further processing.

Alerts in pending status are only created at the introduction of new alert types, scenarios, etc. Alerts created after the introduction have the normal, open status and are managed in the normal flow.

For example, Rapid7 added a new source of intelligence for detection. When this source is first introduced, it may contain a lot of new intelligence that was previously unknown to the system, and this new intelligence may cause a "flood" of many new alerts to be created. Those alerts will be marked with the pending status.

After that initial flooding, other alerts generated from this source will be treated like every other alert, with the open status.

The amount and severity of newly-created alerts are listed inside the body of the summary alert, and the summary alert is assigned the severity of the highest alert that it is notifying about.  If the summary alert severity matches your notification settings, an email will be sent to notify you about its presence.

Here is how it works:

  1. The summary alert is clearly presented in the Alerts list.
    The notification severity matches the highest severity of the alerts that were created.
    The summary alert is available through the API and can be sent by email. You can change the status and perform many other alert activities to the summary alert.
  2. The flooding alerts are created with a special pending status.
    Pending alerts share these characteristics:
    • They are not shown in the default Alerts list.
    • They do not trigger SMS or email notifications.
    • They are not sent to policies or any automation.
    • They are not included in reports (except for the System State report).
    • They are not returned via the alerts-list API query.
  3. Review the pending alerts and their details.
    You can use the information on the Threats page  for additional information.
  4. Manage the pending alerts by changing their status, either one-by-one or as a bulk action:
    • Close – No further processing is done.
    • Open – No SMS or email notifications, but all policies and automation will be in effect.

No other actions can be done to pending alerts until their status is open. Once an alert has been changed from pending, it cannot be changed back to pending.

To manage summary alert and the alerts:

  1. The summary alert is clearly displayed in the Alerts list (see A):
    temporary placeholder The “Important Update” text alerts you to the presence of the summary alert and its new, pending alerts. In this case, Rapid7 made a change in this alert type: A company certificate with SSL issues detected. (See B) 10 new alerts were created due to this change. (See C)
  2. To see the new, pending alerts, filter the Alerts list with Status = Pending, in either Basic or Query mode.
    temporary placeholder
  3. Assign a status to each alert, either one-by-one or by selecting multiple alerts.
    In this figure, two alerts are selected to be changed to open status:
    temporary placeholder
    After the status change, these two alerts are in open status:
    temporary placeholder