Alerts View

In this article, all elements of the Alert View are outlined to help you understand the alerts displayed.

  1. Login to the Samurai MDR portal
  2. Click Analysis and select Alerts on the main menu

Figure 1: Alert view example

Alerts Summary

Alerts are summarized in a panel which can be updated based on a specified time period and includes:

  • Security Incidents - the total number of security incidents reported to you that may correspond to one or more alerts.
  • Alerts - the total number of alerts detected by the Samurai platform and third party vendor integrated with the Samurai platform.
  • Real-time engine - the total number of alerts detected by the Samurai real-time engine
  • Hunting engine - the total number of alerts detected by the Samurai hunting engine
  • Vendor - the total number of alerts collected from third-party vendor products integrated with the Samurai platform

Figure 2: Alerts summary example

Filters

Various filters are available to determine the alerts to be displayed.

Figure 3: Time and Display filter

The total number of alerts within the alerts table in displayed to the left of the Time Period filter.

Time period

You can update all panels to specific date and time ranges. We default to the Last 24 hours however have included Quick time ranges.

Figure 4: Date and time selection

Display Filter

Enter any values you wish to filter and highlight within the display filter.

Figure 5: Display filter

Alert Column Filter

Adjust and show/hide any of the column values within the Alert Table.

Figure 6: Alert column filter

Alerts Table

All alerts are listed within the alert table, important to note is that the table is limited to 10,000 alerts therefore apply filters to narrow the results.

What are the Alert table fields?

Review the table below outlining each field displayed:

Alert fieldDescription
TimestampLocal date and time of when the alert was generated displayed in the format [yyyy:mm:dd] [hh:mm:ss], hover over will display Universal Time Coordinated (UTC) and local timezone offset
IncidentIf the alert is associated with a reported security incident (one or more alerts may be associated with a single security incident) a link to the security incident is displayed
ActionAction relates to the parsed action in the underlying event(s)
SignatureSignature name from the detecting engine - this could be from an integrated telemetry source (vendor) or from a Samurai platform detection engine
SourceInitiating source, this could be represented as hostname(s), IP address, user or URL
Source PortThe initiating source port
DestinationThe destination, this could be represented as hostname(s), IP address, user or URL
Destination PortDestination port number
ProtocolNetwork protocol e.g TCP / UDP
UserUser from the underlying event(s)
MITREThe MITRE ATT&CK tactic mapping - this could include one or more tactics. For further information refer to ATT&CK Matric for Enterprise
DetectionThe detection engine triggering the alert. Refer to How are alerts triggered?
IDAlert ID (not displayed by default)

If MULTI is displayed in any of the fields it denotes multiple entries e.g multiple destinations are represented as MULTI. Some fields may also be blank if the Samurai platform does not have the underlying data.