Skip to main content
Version: 3.1.0

Alerts

In the [Alerts] menu there is a table with a list of all triggered alerts.

The Sycope system includes many predefined Alerts created by a team of cybersecurity experts. This menu contains a table with a list of triggered Alerts that have been defined in the System. If the table is empty it means that no Alerts have been triggered. Alert parameters are configured in the menu [Configuration > Rules].

Introduction

At the top of the window is the standard search bar, time ranges menu, etc. These elements are described in User Interface. Above the table there is a time chart in which the number of triggered alerts in a unit of time is shown in the form of bars.

image-20230913120428733

By default, the Alerts table displays some columns, but you can change which columns should be visible by using the drop-down menu.

image-20230620104631231

Advanced View

After selecting a particular row by clicking on the row or check box in the first column of the table, a menu with options for the Advanced View opens. All the variables and values associated with a given alert are available here.

image-20230620111226371

It is also possible to hide variables with empty values and improve the clarity of the visible data by selecting Hide empty rows option.

Hide Empty Rows

When selecting a larger number of rows in the Advanced View menu, corresponding tabs will appear.

image-20230620111512587

Action button menu

The Action button is available for the selected row, which can be used to perform the following actions:

  • Status - set the alert’s current state
    • New
    • Acknowledged
    • Assigned
    • In Progress
    • Pending
    • Resolved
  • Classification - choose the alert’s verdict category
    • null
    • Info
    • True Positive
    • False Positive
  • Assign to user – pick a user to own this alert
  • Add comment – create or edit a comment inline

image-20230620111330553

Right Click Menu

After right-clicking on a row, a Right Click menu with the following options will become available:

  • Copy
  • Quick Actions – common triage tasks inline
  • Investigate in Raw Data – inspect the raw event payload
  • Go to rule – jump to the triggering rule’s definition
  • Drilldownread more
  • Actions
    • Contextual analysis
    • Search in lookups
    • Check value in lookup
    • Add value to lookup
    • Add all values to profile rule
    • Add value to profile rule
    • Add value to input filters
    • Add value to output filters
  • Send externally – push this alert to external systems
    • Block host by IP
    • Rest Client
    • IP Reputation – menu with external tools (Displayed only when an IP address is clicked)
  • Show (Displayed only when an IP address is clicked)
    • Only public IPs
    • Only private IPs
    • Net Mask
    • Resolved DNS for all values
    • Resolved DNS
  • Tools (Displayed only when an IP address is clicked)
    • Ping

image-20230620114012061

Settings menu

The settings menu is available by pressing the image-20230630130509063 icon.

image-20230630132659466

The following actions are available here:

  • Settings
    • Manage rules
    • Export as
      • CSV - export alerts to CSV files which are displayed in the table (limited to 1000 records)
      • CSV (full data) - export all alerts that are in the System (database)
      • PDF - export alerts to PDF files which are displayed in the table (limited to 1000 records)
      • JSON (widget object) - export a widget
  • Customize
    • Show raw field names
    • Sorting on server side
    • Hide empty columns

Alerts Table fields description

In the table below are descriptions of the most important fields that are available for display in the Alerts table.

Field NameNQL NameDescription
Alert IdidAlert Identifier
TimetimestampAlert Time
Rule TypealertRuleTypeRule Type
Alert NamealertNameAlert Name
Rule IdalertRuleIdRule Identifier
Alert DescriptionalertDescriptionAlert Description
Alert SeverityalertSeverityAlert Severity
Threshold LevelalertThresholdLevelThreshold Level (Critical, Major, Minor)
Alert TagsalertTagsTags
Mitre TacticalertMitreTacticMitre ATT&CK Tactic
Mitre TechniquealertMitreTechniqueMitre ATT&CK Technique Id
Mitre Technique IdalertMitreTechniqueIdMitre ATT&CK Technique Id
Mitre SubtechniquealertMitreSubtechniqueMitre ATT&CK Subtechnique
CorrelationsalertCorrelationsRule Correlations
Mitigation SystemalertMitigationSystemMitigation System
Mitigation IPalertMitigationIpFieldMitigation IP
Raw DatarawDataRaw Data
ACKalertAckSetting the Acknowledge flag
ACK UseralertAckUserUser updating the Acknowledge flag
ACK TimealertAckLastUpdateAcknowledge flag update Time
False PositivealertFalsePositiveAlert handling False Positive flag
FP UseralertFalsePositiveUserUser updating the False Positive flag
FP TimealertFalsePositiveLastUpdateFalse Positive flag update time
CommentalertCommentComment
Commented UseralertCommentUserUser updating a comment
Comment TimealertCommentLastUpdateComment update time
ClassificationalertClassificationVerdict category of the alert
Classification TimealertClassificationLastUpdateTimestamp of the most recent classification change
Client IPclientIpClient IP
Client PortclientPortClient Port
Client TCP FlagsclientTcpFlagsClient TCP Flags
Client GroupclientGroupsClient Group
Client CountryclientCountryClient Country
Client MacclientMacClient Mac
Client HostnameclientHostnameClient Hostname
Server IPserverIpServer IP
Server PortserverPortServer Port
Server TCP FlagsserverTcpFlagsServer TCP Flags
Server GroupserverGroupsServer Group
Server CountryserverCountryServer Country
Server MacserverMacServer Mac
Server HostnameserverHostnameServer Hostname
StatusalertStatusCurrent alert state
Status TimealertStatusLastUpdateTimestamp of the most recent status change
UseralertUserUser assigned to investigate this alert
UsernameuserUsername
Unique Client IPsuniqueClientIPsUnique Client IPs
Unique Server IPsuniqueServerIPsUnique Server IPs
Unique Server PortsuniqueServerPortsUnique Server Ports
Unique Client ASNsuniqueClientASNsUnique Client ASNs
Unique Server ASNsuniqueServerASNsUnique Server ASNs
Unique Client CountriesuniqueClientCountriesUnique Client Countries
Unique Server CountriesuniqueServerCountriesUnique Server Countries
BPF_bpfBytes Per Flow
BPP_bppBytes Per Packet
Bytes_bytesSum Bytes
Flows_flowsSum Flows
Packets_packetsSum Packets
PPF_ppfPackets Per Flow
PPS_ppsPackets Per Second
SYN_synCount of SYN flags
Unique ASN_uniqueASNsUnique Count of ASNs
Unique ClientIPs_uniqueClientIPsUnique Count of Client IPs
Unique ServerIPs_uniqueServerIPsUnique Count of Server IPs
Unique Server Ports_uniqueServerPortUnique Count of Server Port