View an Incident Response alert

View all acknowledged and unacknowledged alerts in the system.

Before you begin

Role required: Responder, Manager, or Administrator

Procedure

  1. Log in to Lightstep Incident Response.
  2. On the left navigation pane, select Alerts.
    Note: Initially, the alerts page is empty, until you ingest alerts from a third-party integration or manually create an alert. See Manually create an alert for detailed information.

    The list view is automatically updated when a new record is created or inserted.

    See Integrations in Incident Response for more information on setup and ingestion.

  3. View the alerts list.
    The alert list view can be sorted in order by:
    • Priority (asc)
    • Priority (desc)
    • Number (asc)
    • Number (desc) - Default
    You can filter the listings using the Filters button in the header.
    Note:

    Filters for the same fields evaluate as AND, filters for different fields evaluate as OR. For example, if you filter for Priority and State is Open, the filter evaluates as P1-Critical OR P2-High OR P3-Moderate AND State Open.

    If you select Alerts in the left navigation, Filters defaults to all Open alerts initially.

    When you change your alert list view filters, it remembers your settings, automatically, so that if you navigate away they are still set when you return.

    If the default alert filters do not give you the alert list you are looking for, try the Filter Builder in your list view. See Search for an alert using Filter Builder for more information.

    The Export button only becomes available if there are records in the list view. For information on exporting alerts, see Export alert information to a CSV file.
    Note: Bulk selection has no affect on export criteria and should not be used for it. Any record that matches the current filter criteria during export will be included, regardless of whether or not it is selected in the list view.
    Activate the Actions menu to perform bulk acknowledge, promote, close, or group actions using the list check boxes for each alert Alert check box or for all alerts. Bulk select for alerts
    Note: Filters apply when doing selections for alerts. Make sure you have the correct filters set and selections before using the Actions menu.

    The Actions list menu gives you options for them.

    Alert group options

    See Manually group alerts for more information on grouping alerts and their results.

    See Promote an alert to an incident for more information on promoting alerts and their results.

  4. Optional: Select the information icon information icon to the left of an alert for a preview.

    The fly-out screen contains the alert header including tags, Details, and Activity areas of the alert. See Alert workspace for more information on those fields.

    Alt text for alert-flyout-3.2.png

    The More actions More actions icon menu in the fly-out contains all the same options as the Alert form as well as Show full details which opens the full alert form.

    You can edit the Service, Priority, Assigned team, Assigned to, or Incident fields.

  5. Select an alert from the list view.

    The Details tab alert form contains not only the information related to the alert but options to search for further information and take actions. See the following example of an acknowledged alert.

    The Details page is automatically updated any time a change is made.

    Alt text for alert-form-3.2.png

    Only an acknowledged alert can be promoted to an incident. See Promote an alert to an incident for more information.

    Once you acknowledge it, the alert is assigned to you and you can:
    • Promote to Incident: (hidden if there is already an incident).
    • Close: Closes the alert.
    • Save: Saves all changes.
    • From the More actions More actions icon menu, you can:
      • Unacknowledge: Unassigns the alert.
  6. Select the Related alerts tab to view any alerts associated with this alert.
    Placeholder alt text for alert-related-list

    Alert information is copied from the alert record.

    See Alert workspace for information on specific fields. See Incident Response Automation for information on alert grouping.

  7. Select the Response rules tab to view any response rules associated with the alert.
    Response rule tab list view

    See Incident Response Automation for more information on response rules.

    See Alert workspace for information on specific fields.

  8. View the Compose panel to add comments to the Alert timeline.
    Alert Compose panel
  9. View the Alert timeline panel for system activity including Work notes. Entries can be filtered, sorted, and flagged.
    Alert timeline
    Note: When an automation rule updates an alert, the rule is identified in the timeline.
  10. Add or view attachments using the attachment icon icon in the upper right of the Attachments panel. This icon opens or hides the column.
  11. View the Collaboration panel using the collaboration icon Collaboration icon. This icon opens or hides the column.
    • Start or join an available Zoom meeting.
    • Start or join an available Microsoft Teams channel.
    • Start or join an available Slack channel.
    • Add responders to the alert.

    See Alert workspace for more information on each of the actions listed.

  12. View the Helpful links panel using the helpful links icon helpful links icon. This panel contains links defined on the affected service for this record.

    See Alert workspace for more detailed information.