Table of contents
The behavior summary page shows a detailed view of a behavior alert.
The facet on the left side can be used to filter events. There are eight fields associated with a behavior model that can be used for search filters: incident status, analyst, score level, key, key type, behavior rule, behavior, and risks.
Clicking on an alert opens up a detailed view of all the behavior models triggered by the event, in addition to the type of behavior, the risk score, and the number of events that triggered this alert.
Clicking the arrow to open up a behavior displays three tabs: Correlation Hits, Risks, and Fields. The correlation hits tab shows risks that were triggered by the correlation rules associated with this alert, with a description of the field that triggered it corresponding to the alert.
The second tab is Risks. This tab displays a list of all the risks associated with the behavior model, either triggered by correlation rules or attached to the model itself.
The last tab is the Fields tab. This tab displays the attributes associated with the behavior model, in addition to their values alongside each field.
Clicking the Status dropdown menu allows the user to make changes to the current status of an alarm. By default, an alert will display with the N/A status. If the score associated with the alert passes a certain threshold (set by the customer), it will appear as “New.”
Clicking the magnifying glass next to the key field will redirect you to the behavior timeline page and display all the events associated with the behavior alert that was triggered. From there, you can navigate to the events page and view more information on the events. More information on how to do this can be found on the behavior timeline page.