Manage detection alertsedit

The Detections page displays all detection alerts. From the Alerts table, you can filter alerts, change an alert’s status, and start investigating and analyzing alerts in Timeline.

From Timeline, you can create cases to track issues and share information with colleagues.

View and filter detection alertsedit

The Detections page offers various ways for you to organize and triage detection alerts as you investigate suspicious events. You can:

  • Filter for a specific rule in the KQL bar (for example, :"SSH (Secure Shell) from the Internet").

KQL autocomplete for .siem-signals-* indices is available on the Detections and Rule details pages, and in Timeline when either All or Detection alerts is selected.

  • Use the date and time filter to select a time range that you’re interested in exploring. By default, this filter is set to search the last 24 hours.
  • View detection alerts generated by a specific rule. To do this, click Manage detection rules, then click on a rule name in the All rules table. The Rules detail page displays a comprehensive view of the rule’s details, and alert details are displayed in the Alerts table beneath the Trend histogram.
  • Use the Stack by drop-down in the Trend histogram to select specific parameters to visualize the individual counts. For example, if you select, the histogram displays the total counts by alert name.
  • Filter alert results to include building block alerts or to only show alerts from indicator match rules by selecting the Additional filters drop-down. By default, building block alerts are excluded from the Alerts table; therefore, including them expands the number of alerts.

When updating alert results to include building block alerts, the Security app searches the .siem-signals-<Kibana space> index for the signal.rule.building_block_type field. When looking for alerts created from indicator match rules, the app searches the same index for the signal.rule.threat_mapping field.

Shows multiple ways to filter information

Customize the Alerts tableedit

Use the buttons in the upper left corner of the Alerts table to customize the columns you want displayed and to view the table in full-screen mode.

alert table columns and size

Click the Customize Event Renderers button to enable event renderers within the Alerts table. When enabled, event renderers show relevant details that provide more context about the event. For example, if you enable the Flow Event Renderer, the Alerts table shows details that describe the data flow between a source and destination — such as hosts, ports, protocol, direction, duration, amount transferred, process, and geographic location.

Shows the Event Renderer button

All event renderers are disabled by default. To switch between event views in the Alerts table, you can enable individual event renderers or click Enable all. Closing the Customize Event Renderers page saves your configurations.

Shows the Event Renderer page

View alert detailsedit

To further inspect an alert, click the View details button from the Alerts table.

Shows the Event Renderer button

The Alert details flyout appears and offers several options for viewing alert details:

  • Summary: Shows an aggregated view of alert details. Alerts that have been enriched with threat.indicator data also display the threat summary section, which is an additional section located beneath the alert summary. In the threat summary section, you can view mapped data for the following threat.indicator subfields:

    • matched.field
    • matched.type
    • source (threat.indicator.provider)
    • first_seen
    • last_seen

If an alert is linked to more than one threat, a compiled version of threat indicator data displays in the threat summary section. A more detailed view displays within the Threat Intel tab.

  • Threat Intel: Shows the number of matched threats and displays them individually. Threats appear in reverse chronological order, with the most recent alerts at the top. The available threat.indicator and source.event data is displayed for each threat. If the alert has not been enriched with threat data, the Threat Intel tab displays the message "No Threat Intel Enrichment Found" and provides a link to Threat Intel module documentation.
  • Table: Shows the alert details in table format. Alert details are organized into field value pairs.
  • JSON View: Shows the alert details in JSON format.

Change an alert’s statusedit

You can set an alert’s status to indicate whether it needs to be investigated (Open), is under active investigation (In progress), or resolved (Closed). By default, the Alerts table displays open alerts. To view alerts with other statuses, click In progress or Closed.

To change alert statuses, do one of the following:

  • In the alert’s row, click the More actions button, then select the appropriate status (Mark in progress, Close alert, or Open alert).
  • In the Alerts table, select all the alerts you want to change, then select Take actionClose selected, Open selected, or Mark in progress.

Add alerts to casesedit

From the Alerts table, you can attach one or more alerts to a case by clicking the Add to case button. From here, you can choose to add the alert to a new case or attach it to an existing one. You can add an unlimited amount of alerts from any rule type. If you attach the alert to a case that has been configured to sync its status with associated alerts, the alert’s status updates any time the case’s status is modified.

Once you’ve added an alert to a case, you can only remove it through the Elastic Security Cases API.

add alert to case

Add an alert to a new caseedit

To add an alert to a new case:

  1. Select Add to case → Add to a new case.
  2. In the Create a new case pane, give your case a name, add relevant tags, and include a case description.
  3. Specify whether you want to sync the status of associated alerts. It is enabled by default; however, you can toggle this setting on or off at any time. If it remains enabled, the alert’s status updates whenever the case’s status is modified.
  4. Select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is No connector selected.
  5. Click Create case after you’ve completed all of the required fields. A notification message that confirms the case was successfully created displays. Click the link inside the notification or go to the Cases page to view your case.
Shows how to add an alert to an existing case

Add an alert to an existing caseedit

To attach an alert to an existing case:

  1. Select Add to case → Add to existing case.
  2. From the Select case pane, select the appropriate case for which to attach an alert. A confirmation message displays with an option to view the updated case. Click on the link in the notification or go to the Cases page to view the case’s details.
Shows how to add an alert to an existing case

Send alerts to Timelineedit

To view an alert in Timeline, click the Investigate in timeline button.

When you send an alert generated by a threshold rule to Timeline, all matching events are listed in the Timeline, even ones that did not reach the threshold value. For example, if you have an alert generated by a threshold rule that detects 10 failed login attempts, when you send that alert to Timeline, all failed login attempts detected by the rule are listed.

Suppose the rule that generated the alert uses a Timeline template. In this case, when you investigate the alert in Timeline, the dropzone query values defined in the template are replaced with their corresponding alert values.


This Timeline template uses the "{}" dropzone filter in the rule. When alerts generated by the rule are investigated in Timeline, the {} value is replaced with the alert’s value. If the alerts’s value is Windows-ArsenalFC, the Timeline dropzone query is "Windows-ArsenalFC".

See Investigate events in Timeline for information on creating Timelines and Timeline templates. For information on how to add Timeline templates to rules, see Create a detection rule.

Add rule exceptionsedit

You can add exceptions to the rule that generated the alert directly from the Alerts table. Exceptions prevent a rule from generating alerts even when its criteria are met.

To add an exception, click the actions button (three dots) and then select Add exception.

For information about exceptions and how to use them, see Rule exceptions and value lists.

Visually analyze process relationshipsedit

For process events that are detected by Elastic Endpoint, you can open a visual mapping to view a hierarchal timeline of when these events occurred. For more information, see Visual event analyzer.