BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
KIIMCL
Obsidian | Level 7

Good day. I will go straight to the point.

 

The actual result for the scenario comes out with the less number in the alert summary. For example, suppose that there are scenarios A, B, and C in which all scenarios are sorted in the respective separate queues and strategies under the same domain. I can see the reported alert of scenario A is the same as the result when tested individually. But Scenario B and C report the less number in the alert summary than their actual result when tested individually. I think it's because Scenario A is assigned the highest priority and B and C are assigned lower priorities in strategies and queues. So let's say, for example, a company T violated A, B, and C. I can check the fact that the company T violated all the scenarios out only in the report for A in the alert summary but I want to see the name of the company T in B and C too. I may assign each scenario to separate domains but I necessarily assign them in the same domain because of the project I am working right now.

 

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
_austin_
SAS Employee

In Visual Investigator we differentiate between "suspicious activity" - usually captured by scenario fired events - and alerts. As alerting events come in, all the scenario-fired events for a given actionable entity (for a given alerting domain) are gathered together into a single alert. That way the analyst has a full view of all the suspicious activity. That alert will be routed to the highest priority queue of all the recommended queues to come in with the alerting event. If more suspicious activity is discovered tomorrow, this will be attached to the same alert as well.

 

The title of your post is "The number of reported alerts in alert summary doesn't match the actual result", but the behavior you are describing is "the number of scenario-fired events doesn't match the number of alerts". That is expected.

 

Individual alerts can only exist in one queue at a time. If you want to investigate each scenario separately and save them in different queues, you should make them 3 different alert domains. If you want the 3 scenarios to be worked together, you would put all the scenario-fired events in the same domain and work the alert in whatever queue it has landed in or use dispositions to move the alert to different queues as you work it.

 

I hope this explanation helps. You can learn more by reading Part 7 of the Visual Investigator Administrator's Guide: Alert Management.

View solution in original post

3 REPLIES 3
_austin_
SAS Employee

In Visual Investigator we differentiate between "suspicious activity" - usually captured by scenario fired events - and alerts. As alerting events come in, all the scenario-fired events for a given actionable entity (for a given alerting domain) are gathered together into a single alert. That way the analyst has a full view of all the suspicious activity. That alert will be routed to the highest priority queue of all the recommended queues to come in with the alerting event. If more suspicious activity is discovered tomorrow, this will be attached to the same alert as well.

 

The title of your post is "The number of reported alerts in alert summary doesn't match the actual result", but the behavior you are describing is "the number of scenario-fired events doesn't match the number of alerts". That is expected.

 

Individual alerts can only exist in one queue at a time. If you want to investigate each scenario separately and save them in different queues, you should make them 3 different alert domains. If you want the 3 scenarios to be worked together, you would put all the scenario-fired events in the same domain and work the alert in whatever queue it has landed in or use dispositions to move the alert to different queues as you work it.

 

I hope this explanation helps. You can learn more by reading Part 7 of the Visual Investigator Administrator's Guide: Alert Management.

KIIMCL
Obsidian | Level 7
Thank you for the reply. It really helps a lot. Can I ask you one more question? Can I change the order of domains? And also order of alerts in alert summary of home page? I don't know the standard of ordering
_austin_
SAS Employee

Hello,

No, you don't have direct control over the order of the domains. The strategies and queues are listed in priority order, so you can re-order them within the domain. 

It would be a nice feature to let page designers decide which domains to display within the alert summary component and possibly the strategy and queue order too. I think that is a requested feature in our backlog but it does not have a committed release associated with it at this time.

Discussion stats
  • 3 replies
  • 883 views
  • 2 likes
  • 2 in conversation