Alerts
What is an alert?
An alert is a security detection made by the Samurai platform or third party vendor where Samurai is ingesting telemetry.
How are alerts triggered?
Alerts are triggered by detection engines based on single or multiple events.
The Samurai MDR portal displays alerts categorized according to the underlying detection engine. These categories include:
Samurai platform
- Real-time engine - Proprietary NTT developed detection engine that leverages behaviour modeling, machine learning, and the latest threat research to automatically identify suspected threats during real-time analysis of ingested telemetry into the Samurai platform.
- Hunting engine - Intelligence-driven detection engine based on the Sigma project but customized by NTT with additional detection capabilities. The Samurai hunting engine performs automated threat hunting to idenfiy and alert on possible adversary activity.
Vendor
- Alerts generated by and collected from third-party vendor technologies which are integrated with the Samurai platform (e.g Endpoint Detection & Response (EDR) and Firewall technologies)
We are working on additional documentation which will walk through the Samurai platform concepts and usage in more depth so look out for updates!
What alerts are displayed within the Samurai MDR portal?
We display the same alerts as our Samurai Security Operation Centre (SOC) analysts view.
Do I need to review and act on alerts?
No. The Samurai SOC analysts triage, investigate and validate alerts as part of your Managed Detection & Response (MDR) service. As alerts are validated by the Samurai SOC analysts and investigated, they may potentially lead to a reported Security Incident and are marked accordingly.
Our strategy includes visibility and transparency of the service we provide to you therefore this feature provides you that visibility showcasing the value of the service. Refer to the Alert Dashboard which provides some key alert metrics over a given time period.
Next Steps
To further understand Alerts within the Samurai MDR portal we recommend you review the Alerts View article.
1 - Alerts View
In this article, all elements of the Alert View are outlined to help you understand the alerts displayed.
Navigate to Alert View
- Login to the Samurai MDR portal
- Click Analysis and select Alerts on the main menu
Figure 1: Alert view example
Alerts Summary
Alerts are summarized in a panel which can be updated based on a specified time period and includes:
- Security Incidents - the total number of security incidents reported to you that may correspond to one or more alerts.
- Alerts - the total number of alerts detected by the Samurai platform and third party vendor integrated with the Samurai platform.
- Real-time engine - the total number of alerts detected by the Samurai real-time engine
- Hunting engine - the total number of alerts detected by the Samurai hunting engine
- Vendor - the total number of alerts collected from third-party vendor products integrated with the Samurai platform
Figure 2: Alerts summary example
Filters
Various filters are available to determine the alerts to be displayed.
Figure 3: Time and Display filter
The total number of alerts within the alerts table in displayed to the left of the Time Period filter.
Time period
You can update all panels to specific date and time ranges. We default to the Last 24 hours however have included Quick time ranges.
Figure 4: Date and time selection
Display Filter
Enter any values you wish to filter and highlight within the display filter.
Figure 5: Display filter
Alert Column Filter
Adjust and show/hide any of the column values within the Alert Table.
Figure 6: Alert column filter
Alerts Table
All alerts are listed within the alert table, important to note is that the table is limited to 10,000 alerts therefore apply filters to narrow the results.
What are the Alert table fields?
Review the table below outlining each field displayed:
| Alert field | Description |
|---|
| Timestamp | Local date and time of when the alert was generated displayed in the format [yyyy:mm:dd] [hh:mm:ss], hover over will display Universal Time Coordinated (UTC) and local timezone offset |
| Incident | If the alert is associated with a reported security incident (one or more alerts may be associated with a single security incident) a link to the security incident is displayed |
| Action | Action relates to the parsed action in the underlying event(s) |
| Signature | Signature name from the detecting engine - this could be from an integrated telemetry source (vendor) or from a Samurai platform detection engine |
| Source | Initiating source, this could be represented as hostname(s), IP address, user or URL |
| Source Port | The initiating source port |
| Destination | The destination, this could be represented as hostname(s), IP address, user or URL |
| Destination Port | Destination port number |
| Protocol | Network protocol e.g TCP / UDP |
| User | User from the underlying event(s) |
| MITRE | The MITRE ATT&CK tactic mapping - this could include one or more tactics. For further information refer to ATT&CK Matric for Enterprise |
| Detection | The detection engine triggering the alert. Refer to How are alerts triggered? |
| ID | Alert ID (not displayed by default) |
If MULTI is displayed in any of the fields it denotes multiple entries e.g multiple destinations are represented as MULTI. Some fields may also be blank if the Samurai platform does not have the underlying data.