View Additional Alarm Information
You can use the Inspector panel to view alarm metadata as well as the details related to any SmartResponse actions, user comments, or AIE rules that are associated with an alarm. You can also use the Inspector panel to make changes to an alarm status, add the alarm to a case, and start a drill down search.
The following procedure can also be directly applied to alarm cards displayed in case evidence outside the Alarms page.
To view additional information or make changes using the Inspector panel:
- On the navigation bar, click Alarms.
- Select an alarm by doing one of the following:
- In the Alarm card view, click an Alarm card to select it. A glowing blue border appears around the selected Alarm card.
- In the Alarm grid view, click anywhere in a row on the Alarm grid. The row is filled light blue.
- On the upper-right side of the Alarms page, click the Inspector tab.
The Inspector panel opens.
Alarm information in the Inspector panel is divided into sections for Data, Alarm Actions, SmartResponse Actions, Comments, and Details.
The following are detailed descriptions of each section:
The Data section includes the following information:
Alarm ID. An internal number representing a unique alarm instance.
Alarm Date. The date and time that the alarm was triggered.
Alarm Name. The alarm name as defined in the alarm rule.
Metadata fields. Each metadata field is listed individually. For descriptions of each
metadata field, see the "Lucene Search Syntax" table in Metadata Fields.The properties shown in the Data section are the same as the values shown in the Alarm Properties window in the Client Console.
If the host listed in the Host (Origin) or Host (Impacted) field is a Known Host, an Information icon appears next to the text. Hover your mouse over the row where the metadata appears. The information shown is the information configured for the host in the Client Console.
The Alarm Actions section allows you to make changes to an alarm within the Inspector panel. You can update the following information:
Status. To open or close an alarm from the Inspector panell, click the list and click Open or click Closed. To change the alarm status back to a new state, click New.
Add to Case. To add the alarm to a case, click the list and select a case by either typing the case name in the typeahead filter or scrolling through the list. When the correct case is shown in the field, click Add.
New Case. To create a new case with the selected alarm attached as evidence, click the New Case button. The New Case from Alarm dialog box appears with the following default configurations, all of which you can change:
The Name matches the alarm name.
The Priority is based on the alarm's risk status.
The Due Date is one week from the date of new case creation.
The Summary matches the alarm description. If the alarm has no description, this field is left blank.
Click Save to create the case. The person who created the case becomes the case owner and the case status is set to Created.
- Search for Events Triggering Alarm. Click Drill Down to drill into the selected alarm. A search task appears at the bottom of the screen. When the search is finished, click the Complete: All Results or Complete: Max Results link at the bottom of the page.
If you drill into an alarm that is in a New state, the alarm status is automatically set to Open. If the alarm is in a Closed or Open state, the status does not change during drill down.
- Search for Events Triggering Alarm. Click Drill Down to drill into the selected alarm. A search task appears at the bottom of the screen. When the search is finished, click the Complete: All Results or Complete: Max Results link at the bottom of the page.
The SmartResponse Actions section lists any SmartResponse actions that are triggered by the alarm. The following information is included for each action: Execution Target, Execution Time (ms), Standard Out, Standard Error, and the AutoApproved status for actions that do not require user approval.
If you are listed as an approver for any non-AutoApproved SmartResponse actions attached to the alarm, you see Approve and Deny buttons in place of an AutoApproved status. At the bottom of the SmartResponse actions section, you also see a message indicating whether or not the actions need to run in the order that they are listed.
If approvals are needed but you are not an approver, the word "Pending" is displayed followed by text displaying how many approvals are done (e.g. 0 of 3 Approved).
For more details about the SmartResponse approval process, see Approve or Deny SmartResponse Actions.
The Comments section allows you to view notes about the alarm from other users. You can also add your own comments for others to view.
The Details section includes the following information:
Added to Case(s). If the selected alarm is added to a case, a blue indicator appears on the alarm card. The case information is shown here along with a Go to Case button that, when clicked, links to the case. If the alarm is linked to multiple cases, a link to each case appears here.
If you do not have permission to view the case the alarm was added to, this information does not appear in the Details section. This restriction pertains to non-global users and users that are not collaborators on the case(s) in which the alarm was added.
Alarm Description. The Description field contains text information from the Brief Description field for an alarm in Client Console.
Additional Details. The Additional Details field contains the text from the "Additional Details" property of any alarm, whether it's an AIE Rule or a regular alarm.
4. (Optional) Click the arrow to collapse the Inspector panel.