Introducing Exabeam Alert Triage - Exabeam

Introducing Exabeam Alert Triage

Published
March 24, 2021

Author
Cynthia Gonzalez

Today we announced Exabeam Alert Triage, a new cloud application that categorizes, aggregates and enriches security alerts, so analysts can confidently and efficiently dismiss or escalate security alerts from a single screen. With Alert Triage, analysts get visibility into all of the alerts that security tools have triggered through a centralized view, reducing the likelihood of missing a security alert.

The Problem with Security Alerts Today

Today, analysts receive thousands of security alerts a day spread across disparate tools. Analysts must prioritize alerts to identify which pose the greatest risk to an organization and then decide which alerts to escalate for further review. However, security personnel say they are only able to investigate 45% of the daily alerts they receive, according to research from the Ponemon Institute. Why? One reason is that alerts provide little to no context, which makes it difficult for Tier 1 analysts to make decisions and requires them to spend a lot of time manually gathering evidence. The Ponemon report also notes that 33% of alerts in a traditional SIEM are false positives. Unable to keep up with the volume of alerts, they must ignore a significant number of security alerts and in doing so leave their organization potentially vulnerable to threats.

Success Requires a New Approach to Alert Triaging

Alert Triage categorizes, aggregates and enriches security alerts, so analysts can confidently dismiss or escalate them with new levels of efficiency. Alerts are organized into channels to prioritize and distribute them for review, while similar alerts are also aggregated so they can be reviewed as a group.

Figure 1: Security alerts are categorized into channels. Channels can be grouped by vendor, alert name, alert type, and severity. For example, here we see a channel for medium and high alerts from CrowdStrike.

All alerts are then automatically enriched with contextual data including host, IP, severity of alerts, related behavioral anomalies and overall risk scores of associated users and entities. Armed with this information analysts can make a judgment call, without needing to navigate to other products to gather evidence.

Figure 2: Security alerts are enriched with context including host, IP, severity of alerts and associated users and entities.

From within an alert in Alert Triage, security analysts can easily navigate to an associated user or entity timeline containing that alert. The timelines answer questions an analyst has like what happened before and after the alert was triggered. The timelines also provide context and answers to questions like: 

  • What is the nature of the alert? 
  • Who is the user/asset associated with the alert? 
  • Is this an actual attack? 
  • Was the attack successful? 

With context readily available, analysts can rapidly triage alerts without the need to pivot and query in a SIEM.

Figure 3: Smart Timelines include all information an analyst needs to perform a rapid investigation, including: normal and abnormal behavior, as well as the surrounding context, like what happened before and after an alert, or if this alert maps to a MITRE tactic, technique, or procedure.

Integration with Case Manager

The Alert Triage interface gives analysts the option to dismiss or escalate the alert. When an alert is escalated, an incident is automatically created in Exabeam Case Manager, handing off the alert to the incident response team. The case includes alert-specific information like alert name, type, and severity for an Incident Responder to quickly continue the investigation. Automation of the triage process expedites an analyst’s ability to triage alerts and improves collaboration between triage and response teams.

Figure 4: Analysts have the option to dismiss or escalate the alert.

Outsmart the Odds with Alert Triage

Analysts are spending valuable time focused on false positives, often missing the most urgent and dangerous threats to their organization. With Alert Triage, analysts get improved visibility, security and productivity, allowing them to focus their efforts on the highest priority alerts and take action on them, for a complete and seamless workflow.
Learn more about Exabeam Alert Triage and let us help you outsmart the odds.

Recent Information Security Articles

Introducing the XDR Alliance!

Read More

Dazed and Confused by the XDR Telenovela?

Read More

Calling all SOC Warriors: Announcing The 2021 Exabeam Cybersecurity Excellence Awards!

Read More

Detecting the Exploitation of Pentesting Tools: Gaining Power Over PowerShell

Read More

Helping Retailers Deliver a Secure Omnichannel Experience

Read More



Recent Information Security Articles

Introducing the XDR Alliance!

Read More

Dazed and Confused by the XDR Telenovela?

Read More

Calling all SOC Warriors: Announcing The 2021 Exabeam Cybersecurity Excellence Awards!

Read More

Detecting the Exploitation of Pentesting Tools: Gaining Power Over PowerShell

Read More

Helping Retailers Deliver a Secure Omnichannel Experience

Read More