This page displays a tree of alerts triggered by the signals and rules defined on the Correlation page.
This tree sorts the correlation hits based on signal. Exclamation points indicate that the hit is new, while a checkmark indicates that the hit has been acknowledged, or “acked.”
Clicking on an arrow expands that signal and allows the user to view hits by date. Clicking the arrow to expand a specific date allows the user to view hits based on the key specified during bucket signal creation.
Clicking on a single hit displays a detailed view on the right side of the screen. This view displays the state, event count, create time, last update, and attributes of the hit, along with any comments that have been made. Clicking the "UPDATE" button allows the user to mark the alert as “new” or “acked” and make comments. Clicking the “SEARCH” button will redirect the user to the events page and perform a search based on the signal name and key field associated with the alert.
As mentioned above, the "SEARCH" button can be used to create an event search using an alert's signal name and key field as the search parameters. In this case, this is an ADLOGON alarm with an event ID, hostname, and target username. Click the "SEARCH" button to redirect to the events page.
After this redirect, the search bar has already been populated with the signal name, ADLOGON, and the hostname shown above. Press "SEARCH" to perform a search using these parameters.
Once the search is complete, the histogram will display data for the events.
Scroll down to view the events in further detail. The key field pertaining to the alert is highlighted in yellow on the table entry for each event.