Skip to main content

Alerts

PurposeThe Alerts App provides a centralized view of events flagged by detections, enabling users to manage, analyze, and escalate alerts for timely responses to potential security incidents or operational anomalies..
Last UpdatedMarch 26, 2025

What is Alerts?

The Alerts App in Raven provides a centralized view of all alerts generated by detections. Alerts represent specific events flagged as requiring user attention, based on predefined detection rules. They serve as critical indicators of potential security incidents, operational anomalies, or other noteworthy events.

Alerts can be managed, analyzed, and escalated to cases for further investigation. With features like bulk actions, severity classification, and AI-driven analysis, the Alerts App streamlines incident response workflows and ensures timely action.

Key Features

Alerts Overview Page

The Alerts Overview Page provides a list of all alerts, allowing users to quickly assess and manage them. Key features include:

  • Assigned and Unassigned Alerts: Navigate between alerts assigned to cases and those yet to be assigned.

  • Bulk Actions: Perform actions such as assigning alerts to cases, unassigning from cases, changing severity levels, or closing alerts in bulk.

  • Alert Details: View key information for each alert:

    • Title: A brief summary of the alert.
    • Description: A detailed explanation of the event that triggered the alert.
    • Detection: The detection rule that generated the alert.
    • Case: The case (if any) to which the alert is assigned.
    • Related Events: The number of events linked to the alert.
    • Observables: Key indicators extracted from the alert (e.g., IP addresses, file hashes).
    • Created At/Updated At Dates: The timestamps for when the alert was created and last updated.

Alert Severity Levels

Alerts are classified into five severity levels to help prioritize responses:

  1. Critical: Represents major incidents or threats actively compromising critical systems or sensitive data.
  2. High: Indicates serious threats or vulnerabilities with high risk but no immediate compromise.
  3. Medium: Represents potential issues that could lead to higher risks if left unresolved.
  4. Low: Minor issues with limited impact or low likelihood of exploitation.
  5. Informational: Logs or notifications recorded for tracking or auditing purposes without representing a security threat.

Alert Detail View

The Alert Detail View provides an in-depth look at individual alerts. It includes:

Overview Section:

Displays key information about the alert:

  • Severity
  • Description
  • Case (if assigned)
  • Detection (source of the alert)
  • Relevant dates (Created At/Updated At)
  • Observables (e.g., IP addresses, file hashes)

Tabs Below the Overview

  1. Related Events
    Displays all events linked to the alert for further investigation.
  2. Related Alerts
    Shows other alerts associated with this detection or context.
  3. Assistant Analysis
    If an AI analysis has been triggered, this tab displays insights generated by the assistant.

AI Integration with Alerts

The AI Assistant can analyze alerts automatically or via one-off analysis triggered from the Alert Detail View. Key capabilities include:

  • Extracting observables from alerts for use in investigations or cases.
  • Formatting observables based on use cases (e.g., STIX 2 format for cybersecurity contexts).
  • Providing contextual insights to assist in decision-making.

Managing Alerts

For each alert, users can perform the following actions:

  • Assign alerts to cases for further investigation.
  • Unassign alerts from cases if no longer relevant.
  • Change severity levels to reflect updated priorities.
  • Close alerts once they have been resolved or deemed unnecessary.

All above actions can also be performed in bulk in the Alerts Overview Page for efficiency.

Alerts and Cases

Alerts represent events that require user attention but may vary in significance:

  • Some alerts may be false positives requiring no action.
  • Others may escalate into true positives needing further investigation.

When an alert requires deeper analysis, it can be raised to a case directly from the Alert Detail View. Users can group multiple alerts or add additional data (e.g., query results) into a case for comprehensive investigation.