The Alerts UI currently provides five filters that you can apply to alerts. You can use
these filters to refine the list of alerts and collect additional information on the alerts.
These filters are listed in the Filters panel on the left of the
Alerts window.
-
Click one of the filters in the Filters panel on the left of
the window.
The Filter expands to list all of the facet values contained in the filter. For
example, in the following figure, the
enrichments:geo_dst_addr:country filter contain the countries
Russia, France, and USA.
After you modify the filter, you will see a warning indicating that the current alert
data is not in sync with your filter parameters:
Click the

(search) button to refresh the alerts data.
-
You can continue to apply filters to the alerts displayed in the
Alerts window to further refine the alerts list.
As you select filters and facets, they are displayed in the
Searches field.
For example, in the following figure, we've applied the source.type
filter with the bro
facet and then the ip_dst_addr
filter with the IP address 95.163.121.204
.
-
You can also enter alert filters in the Search field.
For example:
alert_status:(NEW OR OPEN)
-
To clear filters that have been populated to the Searches
field, click
(delete icon) at the end of the Searches
field.