Skip to main content
Version: 3.0

Alerts

In the [Alerts] menu there is a table with a list of all triggered alerts.

The Sycope system includes many predefined Alerts created by a team of cybersecurity experts. This menu contains a table with a list of triggered Alerts that have been defined in the System. If the table is empty it means that no Alerts have been triggered. Alert parameters are configured in the menu [Configuration > Rules].

Introduction

At the top of the window is the standard search bar, time ranges menu, etc. These elements are described in User Interface. Above the table there is a time chart in which the number of triggered alerts in a unit of time is shown in the form of bars.

image-20230913120428733

By default, the Alerts table displays 9 columns, but you can change which columns should be visible by using the drop-down menu.

image-20230620104631231

Advanced View

After selecting a particular row by clicking on the row or check box in the first column of the table, a menu with options for the Advanced View opens. All the variables and values associated with a given alert are available here.

image-20230620111226371

When selecting a larger number of rows in the Advanced View menu, corresponding tabs will appear.

image-20230620111512587

Action button menu

The Action button is available for the selected row, which can be used to perform the following actions:

  • Mark as ACK - setting the Acknowledged flag
  • Mark as NEW - removing the Acknowledged flag
  • Mark as False Positive - setting the False Positive flag
  • Unmark as False Positive - removing the False Positive flag
  • Add comment - add your own comment

image-20230620111330553

Right Click Menu

After right-clicking on a row, a Right Click menu with the following options will become available:

  • Action
    • Mark as ACK - setting the Acknowledge flag
    • Mark as NEW - removing the Acknowledge flag
    • Mark as False Positive - setting the False Positive flag
    • Unmark as False Positive - removing the False Positive flag
    • Add comment - add your own comment
    • Add value to input filters - add the value to the input filter of the alert rule
    • Add value to output filters - add the value to the output filter of the alert rule
    • Add value to lookup - add the value to a lookup
  • Rest Client - sending alert to another system using the REST CLIENT functionality
  • Resolve
    • RIPE - search in the RIPE database
    • DNS for all values - resolve DNS for all IP address in the table
    • DNS - resolve DNS for the selected IP address
    • Ns lookup - query a DNS Domain Name Server to the lookup to find DNS Records and IP address information
  • Net mask Search - access to quick IP mask filter
  • Tools
    • Ping - simple PING tool
  • Mitigation
    • Block host by IP - address blocking when the system is integrated with the MACMON probe
  • Custom - you can create your own Right Click actions configured in the menu [Drilldowns]

image-20230620114012061

Settings menu

The settings menu is available by pressing the image-20230630130509063 icon.

image-20230630132659466

The following actions are available here:

  • Server sorting switch

    • off - sorting is performed on records previously retrieved by the browser from the database (limited to 1000 records)
    • on - sorting is performed on the database and then retrieved by the browser (limited to 1000 records)
  • Export as

    • CSV - export alerts to CSV files which are displayed in the table (limited to 1000 records)
    • PDF - export alerts to PDF files which are displayed in the table (limited to 1000 records)
    • PNG - export alerts to PNG files which are displayed in the table (limited to 1000 records)
    • Full CSV Export - export all alerts that are in the System (database)

Alerts Table fields description

In the table below are descriptions of the most important fields that are available for display in the Alerts table.

Field NameNQL NameDescription
Alert IdidAlert Identifier
TimetimestampAlert Time
Rule TypealertRuleTypeRule Type
Alert NamealertNameAlert Name
Rule IdalertRuleIdRule Identifier
Alert DescriptionalertDescriptionAlert Description
Alert SeverityalertSeverityAlert Severity
Threshold LevelalertThresholdLevelThreshold Level (Critical, Major, Minor)
Alert TagsalertTagsTags
Mitre TacticalertMitreTacticMitre ATT&CK Tactic
Mitre TechniquealertMitreTechniqueMitre ATT&CK Technique Id
Mitre Technique IdalertMitreTechniqueIdMitre ATT&CK Technique Id
Mitre SubtechniquealertMitreSubtechniqueMitre ATT&CK Subtechnique
CorrelationsalertCorrelationsRule Correlations
Mitigation SystemalertMitigationSystemMitigation System
Mitigation IPalertMitigationIpFieldMitigation IP
Raw DatarawDataRaw Data
ACKalertAckSetting the Acknowledge flag
ACK UseralertAckUserUser updating the Acknowledge flag
ACK TimealertAckLastUpdateAcknowledge flag update Time
False PositivealertFalsePositiveAlert handling False Positive flag
FP UseralertFalsePositiveUserUser updating the False Positive flag
FP TimealertFalsePositiveLastUpdateFalse Positive flag update time
CommentalertCommentComment
Commented UseralertCommentUserUser updating a comment
Comment TimealertCommentLastUpdateComment update time
Client IPclientIpClient IP
Client PortclientPortClient Port
Client TCP FlagsclientTcpFlagsClient TCP Flags
Client GroupclientGroupsClient Group
Client CountryclientCountryClient Country
Client MacclientMacClient Mac
Client HostnameclientHostnameClient Hostname
Server IPserverIpServer IP
Server PortserverPortServer Port
Server TCP FlagsserverTcpFlagsServer TCP Flags
Server GroupserverGroupsServer Group
Server CountryserverCountryServer Country
Server MacserverMacServer Mac
Server HostnameserverHostnameServer Hostname
UsernameuserUsername
Unique Client IPsuniqueClientIPsUnique Client IPs
Unique Server IPsuniqueServerIPsUnique Server IPs
Unique Server PortsuniqueServerPortsUnique Server Ports
Unique Client ASNsuniqueClientASNsUnique Client ASNs
Unique Server ASNsuniqueServerASNsUnique Server ASNs
Unique Client CountriesuniqueClientCountriesUnique Client Countries
Unique Server CountriesuniqueServerCountriesUnique Server Countries
BPF_bpfBytes Per Flow
BPP_bppBytes Per Packet
Bytes_bytesSum Bytes
Flows_flowsSum Flows
Packets_packetsSum Packets
PPF_ppfPackets Per Flow
PPS_ppsPackets Per Second
SYN_synCount of SYN flags
Unique ASN_uniqueASNsUnique Count of ASNs
Unique ClientIPs_uniqueClientIPsUnique Count of Client IPs
Unique ServerIPs_uniqueServerIPsUnique Count of Server IPs
Unique Server Ports_uniqueServerPortUnique Count of Server Port