Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.1 - User Guide

Alert Filter

Use the Alert Filter pane to display a subset of alerts. The following is a list of the filter categories and values:
Severity: Filter the list to include alerts for one or more severity level, including Critical, High, Medium, or Low.
Feedback: Filter the list to include alerts for one or more feedback type, including Select All, No Feedback, Actual Risk, or Not a Risk. See Alert list for information on providing feedback.
Entity: Filter the list to include only alerts for a specific username.
Indicators: Filter the list to include alerts for one or more indicator (For example, Active Directory - Abnormal Logon Time, Authentication - Logged onto Multiple Computers, Multiple File Access Failures, and so on.)
Date Range: Filter the list to include alerts created during a specific date range, including the Last Week, Last Month, or during a specified range.

The filters are automatically applied as you make your selections. You can clear all currently set filters by clicking Clear.

How to perform an alert investigation

The alert investigation allows you to select existing alerts and indicators for investigation. From the Alerts tab, there are a few options available to start an investigation:
To investigate a user, click the username in the Entity Name column. This takes you to Alert Overview, where you can investigate the alerts associated with that user.
To investigate a specific alert for a user, click the alert name in the Alert Name column. This takes you to Alert Overview with the desired alert already selected in the Alerts pane on the left. From the Alert Overview screen, you can see a summary of the alert information, including:
The alert name.
A description of the alert.
The time frame of the alert (hourly).
The severity level icon.
The contribution to the user score value (for example, +20).
The sources for the alert (for example, Logon).
Analyst notes.
Alerts flow.
The Alert Flow view provides a timeline of indicators that are related to the formation of the alert. The timeline can help to determine if the alert is an actual risk or not.
The Analyst Notes section allows you to mark the alert as an Actual Risk or Not a Risk. Additionally, you can add comments about the alert for future reference. When an alert is marked as Not a Risk, the risk score associated with the alert is immediately subtracted from the User Risk Score.
Analyst’s notes and alert feedback are displayed on the Overview screen. Changes to the score are also listed, and reflect their value at the time of the feedback.
To investigate a specific indicator that is related to an alert for a user, click the arrow icon next to the alert name, then click the indicator name in the Indicator Name column. This takes you to Alert Overview with the desired alert already selected in the Alerts pane on the left, and the Indicator information for the alert displayed in the central alert pane.
For each indicator you will see:
The indicator name and a description of the indicator type.
Anomaly value: The value determined to be abnormal when compared to the baseline. This could be a number, timestamp, or text value.
Data source of the events found in the indicator.
Start time.
Number of events.
Clicking on an indicator provides the following information:
Contribution to SMART: The percentage that each indicator contributed to the alert is calculated based on their assigned score and the number of times they contributed. The total of all contributions is normalized to 100% by dividing the total score for each indicator by the sum of all the scores that contributed to the alert. For example, if an alert had two associated indicators and the score of the first indicator is 50 and the second is 25, and each contributed once to the alert, the contribution for would be 66% for the first indicator and 33% for the second. (50 divided by 75 and 25 divided by 75).
The graphic view of the behavioral baseline, with the anomaly highlighted in red.
The table containing all the events that took part in this behavioral anomaly.
To close the indicator view and return to the Alert Overview view, click the X on the top right corner of the pane.
To switch between the Alert Overview and Indicator views, click the directional symbols (< and >) on the top right corner of the alert view pane.
To follow the user to make its actions easier to track in the future, click the Watch Profile icon on the top right of the Alert Overview screen.

Common functions

There are many common functions that are used throughout the dashboard. Two of these are listed here for reference:

Search for a user

The Search User tool is located on the upper right corner of the dashboard. Using the tool, you can easily access alert investigations, and instantly drill down into their past behaviors.

To search for a user
1
Type letters from the required username into the search field.
Auto-complete provides suggestions for the user that you are looking for.
2
Clicking on one of the options provided from the menu redirects you to the specific Alert Overview.
Add a user to the watch profile

If there is a user that you want to follow, you can add them to the list of watched users. You can quickly access the watched users from the Overview pane or by clicking the Watched icon in the All Users pane.

To start watching a user, click Watch Profile from their alert overview. To stop watching a user, click Stop Watching. You can also select to add more than one user by selecting Add all to Watchlist from the Users tab.

 

Alert and indicator reference
Alert types
Threat indicators

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating