Skip to main content

Alert Investigation

When rules match incoming logs, CHAD creates alerts. This guide covers the alert lifecycle from detection to resolution.

Alert List

Navigate to Alerts in the sidebar to see all detections.

Filtering

Filter alerts by:
FilterDescription
StatusNew, Acknowledged, Resolved, False Positive
SeverityCritical, High, Medium, Low, Informational
RuleSpecific detection rule
Time RangeLast hour, day, week, custom
Index PatternLog source

Sorting

Sort by:
  • Newest first (default)
  • Oldest first
  • Severity (critical → informational)

Alert Clustering

Similar alerts are grouped to reduce noise. Click a cluster to expand and see individual alerts.

Alert Status

StatusMeaningNext Steps
NewUnreviewed detectionTriage and investigate
AcknowledgedUnder investigationComplete analysis
ResolvedInvestigation completeDocument findings
False PositiveNot a real threatConsider exception rule

Changing Status

Single alert:
  1. Open alert detail
  2. Select new status from dropdown
  3. Optionally add a comment
Bulk update:
  1. Select multiple alerts with checkboxes
  2. Click Bulk Actions
  3. Choose new status

Alert Detail View

Click any alert to open the full investigation view.

Alert Information

  • Rule name - Which detection triggered
  • Severity - Risk level
  • Timestamp - When detected
  • Index pattern - Log source
  • MITRE ATT&CK - Associated techniques

Matched Log

The full log document that triggered the alert: 
{
  "@timestamp": "2024-01-15T14:32:17.000Z",
  "event": {
    "code": "4625",
    "action": "logon-failed"
  },
  "user": {
    "name": "admin",
    "domain": "CORP"
  },
  "source": {
    "ip": "192.168.1.50"
  }
}
Use the Copy button to copy the raw JSON for external analysis.

Threat Intelligence Enrichment

If TI sources are configured, alerts include enrichment:
  • IP reputation - Malicious, suspicious, or clean
  • Domain analysis - Known bad domains
  • Hash lookups - Malware identification
  • Risk score - Aggregated risk level
Enrichment sources:
  • VirusTotal
  • AbuseIPDB
  • MISP
  • GreyNoise
  • And more…

GeoIP Data

If GeoIP is enabled:
  • Country and city
  • ASN and organization
  • Coordinates (lat/long)

Investigation Workflow

1. Initial Triage

Review the alert to understand:
  • What triggered the detection?
  • Is this expected activity?
  • What’s the potential impact?

2. Context Gathering

Examine the matched log:
  • Who (user, system)?
  • What (action, process)?
  • When (timestamp)?
  • Where (source, destination)?
  • How (method, tool)?

3. Enrichment Analysis

Review threat intelligence:
  • Are any IOCs known malicious?
  • What’s the overall risk score?
  • Are there related indicators?

4. Correlation

Look for related activity:
  • Other alerts from same source
  • Similar patterns across systems
  • Timeline of events

5. Decision

Determine the alert status:
  • Acknowledge - Needs further investigation
  • Resolve - Investigation complete, document findings
  • False Positive - Not a real threat, consider tuning

Comments

Add investigation notes to alerts:
  1. Open alert detail
  2. Scroll to Comments section
  3. Write your analysis
  4. Click Add Comment
Comments are timestamped and attributed to your user account.
Document your investigation process. Comments help team members understand decisions.

Live Alert Feed

For real-time monitoring, use the Live Feed:
  1. Navigate to Alerts > Live Feed
  2. Alerts appear as they fire
  3. Click any alert to investigate
The live feed uses WebSocket for instant updates without refreshing.

Bulk Operations

Handle multiple alerts efficiently:
  1. Select alerts with checkboxes
  2. Click Bulk Actions
  3. Available actions:
    • Change status
    • Add comment to all
    • Export selected

Alert Notifications

Configure how you’re notified about new alerts:

Browser Notifications

  1. Go to Account > Notifications
  2. Enable browser notifications
  3. Set severity threshold (e.g., High and above)

Webhooks

Send alerts to external systems:
  • Slack
  • Discord
  • PagerDuty
  • Custom HTTP endpoints
See Notifications for configuration.

Jira Integration

Automatically create tickets for alerts:
  • Maps severity to priority
  • Includes alert context
  • Links back to CHAD
See Jira Integration for setup.

Handling False Positives

When you identify a false positive:
  1. Mark the alert as False Positive
  2. Consider creating an Exception Rule
  3. Document the tuning in the exception
Don’t disable rules for false positives. Use exception rules to tune them instead.

Best Practices

New alerts should be triaged within your SLA. Even a quick “acknowledged” is better than ignored.
Use comments to record your investigation. Future you (or teammates) will thank you.
One alert might be noise. Ten similar alerts might be an attack.
If you see the same false positive repeatedly, create an exception rule.
Don’t let alert fatigue set in. Tune rules so high-severity alerts are actually high priority.

Next Steps

Exception Rules

Tune out false positives

Threat Intelligence

Configure TI enrichment

Notifications

Set up alert notifications

Audit Log

Track investigation history