Filtering Alerts
The Alerts UI currently provides five filters that you can apply to alerts. You can use these filters to refine the list of alerts and collect additional information on the alerts. These filters are listed in the Filters panel on the left of the Alerts window:
source.type
ip_src_addr
ip_dist_addr
host
enrichments:geo_dst_addr:country
To apply filters to alerts, complete the following steps:
Click one of the filters in the Filters panel on the left of the window.
The Filter expands to list all of the facet values contained in the filter. For example, in the following figure, the enrichments:geo_dst_addr:country filter contain the countries Russia, France, and USA.
Note The UI displays the number of alerts corresponding to each facet next to the facet.
You can continue to apply filters to the alerts displayed in the Alerts window to further refine the alerts list.
As you select filters and facets, they are displayed in the Searches field.
For example, in the following figure, we've applied the
source.type
filter with thebro
facet and then theip_dst_addr
filter with the IP address95.163.121.204
.To clear filters that have been populated to the Searches field, click (delete icon) at the end of the Searches field.