Alerts

What are alerts?

When data triggers a rule, an alert is created. The alert is an entry in the Perch console. Each alert contains the data and/or metadata of the packet/payload that triggered the rule. When an alert generated it also triggers a siren to go off in our SOC pit, causing widespread panic and mayhem, followed by investigation and escalation if necessary.

Your latest 3 alerts are seen right from the dashboard (if you have any), or you can view alerts from the alert dashboard by clicking alert icon notifications_none from the menu. On the alert dashboard alerts are grouped by host, so that you can focus on the hosts that are experiencing the largest amount of alerts.

TIP: When alerts come in, you will see them pop up over the alert icon in the menu.

Alerts

The above is an example of an alert as seen in the app. Let’s break it down:

  • The left column includes sightings (how many times this alert has been seen by others). Below that is the status of the alert.
  • The right column consists of 3 rows:
    • Row 1:
      Communinity the alert came from
      The group the alert was seen
      The sensor that saw it
      How long ago it was seen
    • Row 2:
      The name of the alert aka the indicator name
    • Row 3:
      The protocol in brackets
      The source IP (with country flag if applicable)
      The destination IP (with country flag if applicable)

TIP: The copy icon content_copy next to the IP addresses allows you to easily copy the IP to your clipboard.
TIP: Want to research the interactions of both the source and destination within Perchybana? All you have to do is hit the Perchy icon to the right of an alert. Easy!

Curious about what to do with your alerts and how to suppress them? Learn about suppressing alerts in our other post.