Group Alerts
You can group alerts so you can apply filters, status, etc. to multiple alerts at a time.
-
Click one of the groups listed by Group By.
The Alerts table view changes to a tree view listing the values of the groups.In the following example, the group is
source.type
and the values are Snort and Bro.NoteThe icon to the left of the value provides the cumulative severity score for all the alerts in the value. If the score exceeds 999, then the value displays as 999+. - Click one of the values to list the alerts for that value.
-
You can click an alert to add it to the Searches field.
NoteSearches will search through all the groups, not just the group containing the alert.
-
All features that are available for the Alerts table are available for the tree
view.
For example, if you apply an action, such as Escalate, to an alert, it will apply to all alerts within the group. Similarly, if you search for a parameter, it will search all alerts within the group.
-
You can continue to refine your alerts by applying additional groups.
You can change the order in which the groups are applied to the alerts by clicking and dragging the groups on the Groups By line.
- To ungroup your alerts and return to the Alerts window, click Ungroup which is located on the far right of the list of groups.