Overview
UTMStack’s Alert Investigation capabilities provide security analysts with comprehensive workflows and tools to efficiently investigate, analyze, and respond to security alerts. The platform centralizes all relevant context, evidence, and actions in a unified interface to accelerate incident response.All alert investigation data is accessible through the
/data route in the Alert Management module.Investigation Workflow
Alert Triage
Quickly review and prioritize alerts based on severity, category, and threat intelligence context.
Contextual Analysis
Access related logs, events, and alerts to understand the full scope of the security incident.
Collaborative Investigation
Add notes, tags, and collaborate with team members on complex investigations.
Response Actions
Execute response actions directly from the alert interface or escalate to incident management.
Alert Details View
Each alert provides comprehensive information:Core Alert Information
- Alert Name: Description of the detected threat or anomaly
- Category: Type of security event (malware, network attack, etc.)
- Severity: Risk level (High, Medium, Low)
- Status: Current alert state (Automatic review, Under investigation, Closed)
- Timestamp: When the alert was generated
- Data Source: Which integration or agent generated the alert
Enrichment Data
- Target Information: Affected users, systems, IP addresses
- Adversary Details: Source IPs, domains, user agents
- Threat Intelligence: Matched IOCs, reputation scores, threat actor info
- MITRE ATT&CK: Mapped tactics, techniques, and procedures
- Description: Detailed explanation of the threat and recommended actions
Related Events
- Last Event: Most recent event that contributed to the alert
- Event Timeline: Chronological view of all related events
- Raw Logs: Access to underlying log data for deep analysis
Alert Management Actions
Perform actions directly from the alert interface:- Change Status: Update alert status to track investigation progress
- Adjust Severity: Modify severity based on investigation findings
- Add Tags: Apply custom tags for categorization and filtering
- Add Notes: Document investigation findings and decisions
- Create Incident: Escalate to formal incident management workflow
- Assign Owner: Delegate investigation to specific team members
Alert Filtering
Efficiently find relevant alerts using advanced filtering:- Status Filters: View open, closed, or all alerts
- Severity Filters: Focus on High, Medium, or Low severity events
- Category Filters: Filter by alert category or type
- Time Range: Analyze alerts within specific timeframes
- Data Source: View alerts from specific integrations
- Custom Filters: Save frequently used filter combinations
frontend/src/app/data-management/alert-management/shared/components/filters/
Alert History
Track all changes made to an alert:- Status changes and who made them
- Severity adjustments
- Notes and comments added
- Tag modifications
- Assignment changes
- Related incident associations
frontend/src/app/shared/types/alert/alert-history.type.ts
Alert Tags
Organize and categorize alerts with tags:- Apply multiple tags to a single alert
- Create custom tag taxonomies
- Filter and search by tags
- Auto-apply tags based on rules
- Share tag definitions across teams
frontend/src/app/shared/types/alert/alert-tag.type.ts
Incident Creation
Escalate alerts to formal incidents:- Select one or more related alerts
- Create a new incident or add to existing incident
- Incident automatically includes alert context and evidence
- Continue investigation in the incident management interface (
/incident) - Track incident through resolution and post-incident review
frontend/src/app/incident/incident-shared/component/add-alert-to-incident/
Alert Notifications
Stay informed about new and updated alerts:- Real-time Notifications: Get notified of new high-severity alerts
- Email Alerts: Configurable email notifications for alert conditions
- WebSocket Updates: Live alert updates without page refresh
- Notification Center: View recent alerts in the header notification area
frontend/src/app/shared/components/layout/header/shared/notification/utm-notification-alert/
Alert Rules and Solutions
Access contextual guidance during investigations:- Alert Descriptions: Detailed explanations of what triggered the alert
- Recommended Solutions: Step-by-step remediation guidance
- Related Rules: View the detection rule that generated the alert
- Rule Modification: Tune rules directly from the alert interface
frontend/src/app/shared/types/alert/actions/alert-description.type.tsfrontend/src/app/shared/types/alert/actions/alert-solution.type.ts
Integration with SOAR
Alert investigations can trigger automated response:- Execute response playbooks from alert interface
- Automate common investigation tasks
- Orchestrate actions across security tools
- Track automation execution in alert history
/soar route.
Best Practices
Reporting
Generate reports from alert data:- Alert summary reports by time period
- Category and severity distribution
- Mean time to detect and respond metrics
- Analyst performance and workload analysis
- Custom reports with specific filter criteria
frontend/src/app/shared/types/alert/alert-report.type.ts
Related Features
- Threat Detection: How alerts are generated
- SOC AI: AI-powered investigation assistance
- Threat Intelligence: Enrich investigations with threat context
- Log Management: Access raw logs during investigations
Technical Implementation
References:- Alert Management Module:
frontend/src/app/data-management/alert-management/ - Alert Services:
frontend/src/app/data-management/alert-management/shared/services/ - Alert Types:
frontend/src/app/shared/types/alert/ - Alert Constants:
frontend/src/app/shared/constants/alert/ - Data Route:
frontend/src/app/app-routing.module.ts:28