View an Incident Response alert

View all acknowledged and unacknowledged alerts in the system.

Before you begin

Role required: Responder, Manager, or Administrator

Procedure

  1. Log in to Incident Response.
  2. On the left navigation pane, click Alerts.
    Note: Initially, the alerts page is empty, until you ingest alerts from a third-party integration.

    See Integrations in Incident Response for more information on setup and ingestion.

  3. View the alerts list.
    The alert list view can be sorted in order by:
    • Priority (asc)
    • Priority (desc)
    • Number (asc)
    • Number (desc) - Default
    You can filter the listings using the Filters button in the header.
    Note:

    Filters for the same fields evaluate as AND, filters for different fields evaluate as OR. For example, if you filter for Priority and State is Open, the filter evaluates as P1-Critical OR P2-High OR P3-Moderate AND State Open.

    The default filter is Open Alerts so closed alerts do not appear in the list unless selected.

    If you click on Alerts in the left navigation, Filters defaults to all Open alerts for everyone, and My team for responders and above. If you use the back arrow button in your browser, the filter choices are retained.

    Activate the Actions menu to perform bulk acknowledge, promote, close, or group actions using the list check boxes. Alert check box

    The Actions list menu gives you options for them.

    Alert group options

    See Manually group Incident Response alerts for more information on grouping alerts and their results.

    See Promote an Incident Response alert to an incident for more information on promoting alerts and their results.

  4. Optional: Click the information icon information icon to the left of an alert for a preview.

    The fly-out screen contains the alert header including tags, Details, and Activity areas of the alert. See Alert workspace for more information on those fields.Alert flyout screen

    The More actions More actions icon menu in the fly-out contains all the same options as the Alert form as well as Show full details which opens the full alert form.

    You can edit the Service, Priority, Assigned team, Assigned to, or Incident fields.

  5. Click an alert in the alert list view.

    The alert form contains not only the information related to the alert but options to search for further information and take actions. See the following example of an acknowledged alert.

    Alert workspace

    Only an acknowledged alert can be promoted to an incident. See Promote an Incident Response alert to an incident for more information.

    Once you acknowledge it, the alert is assigned to you and you can:
    • Promote to Incident: (hidden if there is already an incident).
    • Close: Closes the alert.
    • Save: Saves all changes.
    • From the More actions More actions icon menu, you can:
      • Unacknowledge: Unassigns the alert.
  6. View the Compose panel to add Work notes.
    Alert Compose panel
  7. View the Alert timeline panel for system activity including Work notes.
    Alert timeline
  8. Add or view attachments using the attachment icon icon in the upper right of the Attachments panel. This icon opens or hides the column.
  9. View the Collaboration panel using the collaboration icon Collaboration icon. This icon opens or hides the column.
    • Start or join an available Zoom meeting.
    • Start or join an available Slack channel.
    • Add responders to the alert.

    See Alert workspace for more information on each of the actions listed.