Define Default Alert View (Admin)
The Admin can define a default Overview for Alerts. This will display in the Cases > Alerts screen in one of the following situations:
- The Alert does not have an attached Playbook.
- The Alert has an attached Playbook with customized views per role but there is no defined view for the user's role. For more information on customized Alert views, see here.
The view is defined from the gear icon > Views > Default Alert View.
The Alert View displays the following widgets:
- Entities Highlights: This widget displays the highlighted fields for each entity involved in the alert. There are two ways to highlight a field.
- From the Explore screen, choose the entity, select a field and click Add to highlight. This entity field will be displayed in the widget.
- Navigate to Settings > Data Configuration > Properties Metadata, select a field and mark as highlighted. If the field is part of the entity, it will be displayed in the widget.
- Events Table: This widget displays all Alert events and their properties. Choose up to 6 fields to be displayed in the table. You can reorder the table rows. The default placeholders can be customized by clicking on the brackets on the right side of the row and choosing the appropriate placeholders. Multiple placeholders can be added in every row. In the actual display you can click on any of the table rows to open up a side drawer showing more events details.
- HTML: In this widget, you can use HTML code for creating insights as well as use placeholders to ‘inject’ relevant information from the alerts. You have the option to return safe code without including potentially malicious JavaScript.
- When using the Video or Layout 6 presets that are included in the HTML widget, certain video sites, such as YouTube and files.fm are not supported. Sendspark can be used instead.
- Free Text: This widget enables you to add free text to be displayed for the Alert/Playbook.
- Entities Graph: This widget provides a visual display of the relationship between the Entities. It's the same display that you would see in the Explore Investigation screen.
- Key Value: This widget allows you to choose specific bits of information that come from various sources and display them in view. For example: Key-Product Value- [Alert.Product]
- Insights: This widget contains all the Insights from the Playbook insights actions, general insights and any other insights you have added. They will be presented in HTML format.
- Pending Actions: This Widget lists all playbook actions waiting for user input. The analyst can now see at a glance what they need to do in order for the Playbook to carry on running.
The screen is presented with a default set of widgets already prepared and designed for maximum value. However, you are free to add, remove or edit the widgets as you like.
Add Widgets
To add a widget:
- Drag and drop a widget from the left screen into the template on the right.
- You can move around the widgets at any stage to achieve the required view.
Edit Widgets
To edit a widget:
- Click the Configuration icon on the top right.
- Edit the title, description (which is actually the tooltip) and the width (50 or 100%). Note that some of the widgets offer extra fields to configure. For example, in the Alert Highlights screenshot below you can add in various keys and values to add in more information on the Alert.
- Click Save.