Viewing Alert Details
Click the Alert Name to view its details panel.
Details may differ due to updates.
Alert Properties
| Alert Property | Description |
|---|---|
| Resolution | Status of the alert: resolved or unresolved |
| Affected entity | The entity that was affected by this alert |
| Actor | The entity/IP that performed the action in the alert |
| Created at | The time when this alert was created |
| Updated at | The last time the system scanned the issue |
| Compliance | The compliance standards |
| MITRE | The MITRE tactics the alert relates to |
| Source app | The application this alert relates to, usually the same app as of the affected entity |
| Severity | The severity assigned to this detection: low, medium, or high |
| Category | The category of the alert as assigned by Delinea |
In addition to the basic descriptions of alert properties, additional controls are available using the tabs in the Alerts page.
General Tab
Provides details about what was detected, as well as general alert properties. For a description of the columns in this tab, see Inventory Filter Properties.
Entities Tab
Displays the entities that are affected or related to the alert or the actor who caused the issue. Alerts can be connected to the following types of entities:
-
Affected: Who was affected by the detection
-
Actor: The person or IP who performed the action detected in the alert
-
Related: Anything or anyone that was related to the alert but not affected directly
Evidence Tab
Displays static information that can help you understand what happened and what data the Delinea Platform had at the moment the alert was detected; for example, user IP information, session details, or a map showing the user baseline locations with the detected suspicious location. The different types of evidence give details about the alert and the information used to detect it.
Evidence for alerts can include the following types of contexts:
-
Related activities: Timeline of the actions/activities that were taken and found to be either the root cause of the alert or related to the alert. Each line represent an action taken by a user in the system.
-
IPs: Aggregated list of IPs that were included in the alert. For each IP, extra information is displayed, such as the location.
-
Sessions: List of sessions related to the alert. The list can be a single session or multiple sessions. Each has a start and end time and represents the timeframe when the user was active in the system. Each session can come from a different IP and user-agent. This data will be shown in this context.
-
Map: User locations. The map can show common locations and suspicious locations. Common locations are marked in green, and suspicious locations are marked in orange.
-
Burst of activities: Bar chart showing user activities over time. For example, this can show a historical baseline of the user's administrative activities over a period of a month and highlight (in red) the anomalous day.
-
Heatmap: Chart that usually shows users sessions over a period of 30 days. This chart is used to show when the user is active, the session duration, and if available, lower and upper thresholds for the user activity time.
-
Suspicious activities breakdown: Chart that is part of the
Abnormal spike in users activityalert. Shows all activities, grouped by type, that were performed by the user on the day the Delinea Platform detected a spike in activity.
