When data triggers an indicator, an alert is created. The alert is an entry in the Perch console. Each alert contains the data and/or metadata of the packet/payload that triggered the rule. When an alert is generated it also triggers a siren to go off in our SOC pit, causing widespread panic and mayhem, followed by investigation and escalation if necessary.
Your latest 5 alerts are seen right from the dashboard (if you have any), or you can view alerts from the alert dashboard by navigating to Threats->Alerts from the main menu.
On the alert dashboard alerts are grouped by indicator.
The above is an example of an alert as seen in the app. Let’s break it down:
- Count The number of open alerts related to this indicator
- Status The current status of this alert
- Not Reviewed The alert still needs to be reviewed by the SOC. This is their todo list.
- Investigating This is a status for you to keep track of alerts you want to keep open that you are currently looking into. The SOC does not use this status, this one is for your workflow.
- On Hold This status is for an alert you want to leave open but are not currently investigating. This is another status for you to use as part of your own internal workflow.
- Escalated This is an alert the SOC has reviewed and determined that is worth bringing to your attention. You should be contacted when an alert is escalated based on your escalation preferences.
- Last Seen The last time this indicator was seen in your environment.
- Indicator The community the alert came from and the name of the indicator that was triggered.
- SRC/DEST IP The most recent source and destination IP addresses and ports that triggered this indicator, along with country flag if applicable, hostname if we can get one from DNS, and any labels you may have for the applicable CIDR range that you setup in the Monitored Assets section of the App settings.
- Actions There are four actions available in this section:
- Perchybana bubble_chart This will launch Perchybana with appropriate filters already applied for the IP addresses and timeframe related to this alert.
- Remediate This will close the alert with any notes you wish to leave. Any future alerts for this indicator will still trigger. Learn more about Supressing Alerts.
- False Positive This will close the alert, but will also give you the option to tune out the rule for your organization or based on IP addresses. This can be used to prevent this alert from triggering in the future. Learn more about Supressing Alerts.
- Details This will take you to the indicator details page.