Triage
Overview
The Triage area of the Security Operations application is where analysts can filter and pivot by alert type, name, entities or keywords. The available filters in this area allow analysts to determine the way they want to triage both alerts and investigations.
As said before, SecOps is mainly based on alerts. Alerts mark the very first actions to do when users enter the application. Once one or more suspicious alerts are detected, or even a potentially dangerous one, the next step is to analyze the content of the threat and the related entities and open an investigation to track every action taken by the user and share the content with the rest of users in the app.
How to apply a filter?
You can filter both alerts and investigations by clicking key elements in the Overview Dashboard widgets, or access the Triage section directly and define the required criteria you want to filter by.
Filter by elements in the Overview Dashboard
Some of the widgets in the Overview Dashboard are interactive and allow you to click key elements and add them to a new filter. Simply click the Overview Dashboard element you want to filter by. In the example below, we click the Critical button in the Most Critical & Not Triaged Alerts widget. We will be prompted to choose if we want to access the Triage area and see the created filter (clicking Triage), or simply create the filter but stay in the Overview Dashboard (clicking Add filter).
Create a filter in the Triage area
You can access the Triage area clicking the icon marked in the capture below in the top bar of the application and define the required filters using the available criteria.
After accessing the Triage area, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range.
After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.
Then, set the conditions you want to filter by. These are the available options:
Keywords
Enter one or several words to filter alerts/investigations that contain them in their name, details, etc.
Alert priority
Choose the alert priority you want to filter by (All, Unknown, Critical, High, Medium, Low or Info).
Alert type
Choose the alert type you want to filter by (All, Model, Analytics, Observation or Detection).
Assigned to
Select the user who was assigned the alert/investigation.
Entity / Filter value
Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs.
You can also select the Advanced Filters button to filter by the following criteria:
Alert status
Choose the alert status you want to filter by (All, Unread, Updated, False positive, New, Watched, Closed, Reminder, Recovery or Anti-flood).
City
Write the name of the cities you want to filter by. When you write a city name, it will appear in the dropdown if it is available. This parameter only applies to alerts.
Country
Select the country or countries you want to filter by from the available ones. This parameter only applies to alerts.
ATT&CK Tactic
Filter by one or several ATT&CK Tactics.
ATT&CK Technique
Filter by one or several ATT&CK Techniques.
Impact
Switch on this option if you want to filter elements by its impact. Indicate the required range using the sliders or enter the required values in the fields at the right of the area. Besides, you must indicate the required formula to be applied (equals to, greater than...)
Click the Showing results of dropdown list and select which elements you want to filter (All, Alerts or Investigations).
- Click Filter.
After applying the filter, the alerts/investigations that match the specified criteria will be listed below. Filtered alerts and investigations appear in a table. If you chose to get both alerts and investigations, alerts will appear first, and investigations will appear below them. Learn more about the results you get when filtering alerts and investigations in Triaging alerts and Triaging investigations.
- Filtered alerts appear ordered by date and priority.
- Filtered investigations appear ordered by update date, so you will see the ones most recently updated on top.
You can sort the results of the tables by the required criteria clicking the arrow icon that appears when you hover over any column header.
Manage filters
You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.
Default filter
If you access the Triage area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours.
Save a filter
Select the required criteria and click the save icon . Enter a name for the filter in the window that appears and click OK to save it. Click this icon
to access your saved filters.
Mark a filter as favorite
Click this icon and select the heart next to the filter you want to mark as the favorite. Note that you can only mark one filter as favorite.
If you start defining a new filter or select another saved filter, you can click Reset filters to ❤ to apply your favorite filter.
Delete a filter
Click this icon and select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.