Alert Lifecycle
Alerts follow a defined lifecycle as they move through triage and investigation:- Open — A new alert that has not yet been triaged.
- In Progress — An analyst is actively investigating the alert.
- Incident — The alert has been escalated to an incident.
- Closed — The alert has been resolved. A resolution reason is attached when closing (e.g. True Positive, False Positive, Benign).
Incidents
Incidents are separate objects that are attached to alerts. When an alert is escalated to an incident, the investigation still happens under the alert itself. Incidents serve as a timeline of activities and provide a higher-level view of related events, but the alert remains the primary workspace for analysts.What Alerts Contain
Alerts are rich objects that can hold a variety of associated data:- Attachments — Files and documents related to the investigation.
- Comments — Analyst notes and discussion threads.
- Timeline Events — A chronological record of activity on the alert.
- Incidents — Escalation records linking alerts to broader incident timelines.
- Audit Events — A log of all changes made to the alert and by whom.
- Enrichments — Additional context added automatically or manually (threat intel, geolocation, etc.).
- Actions — Operations that can be executed on the alert or on any indicator within the alert.
Actions
Actions can be performed at two levels:- Alert-level actions — Operations that apply to the alert as a whole (e.g. changing status, adding comments, escalating to an incident).
- Field-level actions — Operations performed on any individual indicator or field value within the alert. This includes adding values to indicator lists, running external lookups, executing custom actions, and creating aggregation rules. See Alert Fields for details.