Investigate alerts

Monitor the alerts regularly to ensure that you investigate events before they seriously affect your network. The alerts generated in Xshield provide details about the time when the event occurred and the ports and protocols involved in the events. 

We recommend that you understand more about types of Xshield alerts, Alert categories, Severity levels, and the default settings before you start investigating alerts.

To reduce clutter on the Alerts page, only 'Critical' alerts are generated for a new Xshield instance. So, before you start investigating alerts, you must check if all the alerts you want to monitor are enabled.

Act on alerts

By design, all alerts are initially set to the Pending status. You can take one or more of the following actions to address the alerts.
Action Description/impact Use this to

Investigate

View and download the flows that triggered the alert using the Flow Explorer utility 

Investigating an alert moves the alert to the Investigated state.

Investigate high-impact events such as breaches and attempts

Suppress temporarily

Alerts are not generated for this tuple for the next 30 days.

Suppressed alerts move to the Suppressed state and are not included in the email notifications.

Ignore predictable alerts generated during policy simulation, experimental activities, and false positives

Re-activate a tuple

Start getting alerts for the tuple that you previously suppressed.

New alerts are marked Pending and included in email notifications.

Get notified about events after previously suppressing them.

Dismiss

Existing alerts for this tuple are not displayed in the default filtered view (Pending and Investigated) of the alerts list.

If a new alert is generated for this tuple, all future alerts for the tuple are listed in the default filtered view of the alerts list as Pending alerts. Also, the alert is included in the email notifications.

Hide predictable alerts and false positives for a few minutes to reduce clutter in the alerts list

Investigate alerts

  1. Go to the Alerts page.

    All events that occurred in your network from the time you enabled alerts are listed here. 

  2. Filter the time interval. Select one of the last 30 minutes, 1 hour, 24 hours, 7 days, or 30 days.

    We hope you're mostly choosing 30 minutes or 1 hour to investigate alerts quickly!

  3. Click Show Filter and select the types of alerts and alert statuses.

  4. Do the following to investigate alerts/events:

    • Click the 3-dot menu for an alert and click Explore in Flow Explorer.

    • Download the events/alerts as a CSV file. 

    • Use Microsoft Excel to analyze the events.

    • For Traffic alerts, go to Visualizer to see the entities that are involved in the event. Use Asset Filters on Visualizer to narrow down the traffic flows and investigate the cause of the event.

Explore Alert widgets

See the widgets on the Alerts page for a count of the alerts for the instance and how effectively they are remediated.

  • See how many alerts you have enabled, for an instance.

  • Click Configure to enable more alerts or disable some alerts.

Next steps

  • If you want to monitor and remediate alerts and Audit logs generated for an Xshield instance, on/by using third-party Security Information and Event Management (SIEM) tools, you can integrate the instance with a tool such as Splunk, Sumo Logic, and Kiwi Syslog Server. See Integrate with third-party Syslog tools for more details.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.