The Triage area of the Security Operations application is where analysts can filter and pivot by alert type, name, entities or keywords. The available filters in this area allow analysts to determine the way they want to triage both alerts and investigations.
As said before, SecOps is mainly based on alerts. Alerts mark the very first actions to do when users enter the application. Once one or more suspicious alerts are detected, or even a potentially dangerous one, the next step is to analyze the content of the threat and the related entities and open an investigation to track every action taken by the user and share the content with the rest of users in the app.
How to apply a filter?
You can filter both alerts and investigations by clicking key elements in the Overview Dashboard widgets, or access the Triage section directly and define the required criteria you want to filter by.
Filter by elements in the Overview Dashboard
Some of the widgets in the Overview Dashboard are interactive and allow you to click key elements and add them to a new filter. Simply click the Overview Dashboard element you want to filter by. In the example below, we click the Critical button in the Most Critical & Not Triaged Alerts widget. We will be prompted to choose if we want to access the Triage area and see the created filter (clicking Triage), or simply create the filter but stay in the Overview Dashboard (clicking Add filter).
Create a filter in the Triage area
You can access the Triage area clicking the icon marked in the capture below in the top bar of the application and define the required filters using the available criteria.
After accessing the Triage area, set the conditions you want to filter by. These are the available options:
From / To
Select the time range of the filtered alerts and investigations.
Enter one or several words to filter alerts/investigations that contain them in their name, details, etc.
Choose the alert priority you want to filter by (All, Unknown, Critical, High, Medium, Low or Info).
Choose the alert type you want to filter by (All, Model, Analytics, Observation or Detection).
Choose the alert status you want to filter by (All, Unread, Updated, False positive, New, Watched, Closed, Reminder, Recovery or Anti-flood).
Select the user who was assigned the alert/investigation.
Write the name of the cities you want to filter by. When you write a city name, it will appear in the dropdown if it is available. This parameter only applies to alerts.
Select the country or countries you want to filter by from the available ones. This parameter only applies to alerts.
You can also select the Advanced Filters button to filter by MITRE tactics and techniques.
Click the Showing results of dropdown list and select which elements you want to filter (All, Alerts or Investigations).
- Click Filter.
After applying the filter, the alerts/investigations that match the specified criteria will be listed below. Filtered alerts and investigations appear in a table. If you chose to get both alerts and investigations, alerts will appear first, and investigations will appear below them. Learn more about the results you get when filtering alerts and investigations in Triaging alerts and Triaging investigations.
- Filtered alerts appear ordered by date and priority.
- Filtered investigations appear ordered by update date, so you will see the ones most recently updated on top.
You can sort the results of the tables by the required criteria clicking the arrow icon that appears when you hover over any column header.
You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.
If you access the Triage area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours.
Save a filter
Select the required criteria and click the save icon. Enter a name for the filter in the window that appears and click OK to save it. Click this icon to access your saved filters.
Mark a filter as favorite
Click this iconand select the heart next to the filter you want to mark as the favorite. Note that you can only mark one filter as favorite.
If you start defining a new filter or select another saved filter, you can click Reset filters to ❤ to apply your favorite filter.
Delete a filter
Click this iconand select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.