Introduction

The Alerts view (in the sidebar's Security section) provides a deeper level of insight into all the events that Field Effect, and our analysts, have analyzed and flagged as alerts. These alerts represent the lowest level of activity that we use to generate AROs. What makes Field Effect such a powerful cyber security solution is that it’s able to analyze, triage, and aggregate these alerts and notify you on the truly impactful alerts via AROs in the Field Effect portal.

It’s important to understand that events are not a cause for concern, and that Field Effect is analyzing every event. Any events that are a cause for concern will be delivered to you as an ARO. If you are a more technical user that is curious to learn about what type of events Field Effect alerts on, this a great resource. You can also use this page to inspect artifacts and low-level details related to an ARO you may have received.

Navigating the Alerts Page

The List View

The alerts page is presented as a list (shown above) with each row representing an alert and each column offering details about that alert.

The following columns are available be default:

• Alerted (UTC): the time the alert was generated.
• Host Name: the name of the device associated with the alert. Clicking the host name will take you to the drilled in view for the host on the Dashboard’s Hosts page (Endpoint section)
• Sensor: the network appliance that created the alert
• Category: The entity that created the alert (analyst, endpoint)
• Type: the alert type (analytics, malware, endpoint EDR)
• Sub-Type: a more granular category type to better organize alerts (malware, system tampering).
• Action: The action that was a result of the alert (blocked, observed)
• Severity: the severity of the alert (alert, low, medium, high, etc.)
• MITRE: a link to the MITRE ATT&CK framework vector associated with the alert, if applicable.

The Details View

Clicking a row in this list will expose more details about the selected alert along the bottom of the page.

The Details view can also be expanded into a modal view using the Expand icon. Clicking View ARO will take you to the ARO in the Field Effect portal.

Alert Flows

If Endpoint EDR alert type is selected, the details view will contain an alert flow. This shows a history of the events that led to the endpoint agent’s eventual response.

Editing Columns

Columns can be shown or hidden to suit your needs. To edit a view’s columns, click Edit Columns from the view you want to adjust. The Edit Columns tool will open, listing all available columns for the view. Use the checkmarks to select the columns you want to use in the table. Unchecked columns will not be visible. Once you’ve made your selections, click Apply.

The size of each column can also be adjusted. Use the arrows in the column header to sort and drag the edge of the column to adjust the width.

Searching for Alerts

The search bar leverages logic that allows you to create custom queries to find specific alerts. Use logic to create your own searches (“Category” column contains “XYZ”) or perform keyword searches.

After selecting a suggested column from the dropdown, suggested logic statements will become visible. Select the logic statement that suites your search to continue.

After selecting a logic statement, suggested search choices specific to the selected column will become visible. In the example below, the user chose the Category column and Contains logic statement. Therefore, the dropdown shows “Analyst” and “Endpoint” as suggestions.

Also note that you are not restricted to use the suggestions, you can add custom search queries to logic statements, or perform basic keywork searches without logic statements.

Sorting & Filtering Alerts

To sort the Alerts list, click on a column header to toggle between a descending or ascending order for the selected column. You can also use the “Order By” feature shown as a suggested search function.

To filter the list, you can use the “Is Not” or “Is Null” suggestions. Using “Is not” will query results that do not include selected suggestions or provided keywords. The “Is Null” suggestion will query items with no content in the selected column.

As you make selections, you will be prompted with search suggestions as shown above in Searching for Alerts.

Exporting Results

You can export the entire list of alerts, or a filtered subsection of alerts using the Export .csv icon.

The export will be downloaded to your default folder.

The Alerts view provides a deeper level of insight into all the events that Field Effect, and our analysts, have analyzed and distilled into meaningful alerts. These alerts represent the lowest level of activity that we use to generate AROs. What makes Field Effect such a powerful cyber security solution is that it’s able to analyze, triage, and aggregate these alerts and notify you on the truly impactful alerts via AROs in the Field Effect portal.

It’s important to understand that events are not a cause for concern, and that Field Effect is analyzing every event. Any events that are a cause for concern will be delivered to you as an ARO. If you are a more technical user that is curious to learn about what type of events Field Effect alerts on, this a great resource. You can also use this page to inspect artifacts and low-level details related to an ARO you may have received.