Update the Alarm Status
LogRhythm SIEM, each alarm has a status:
- New. When an alarm is first triggered, LogRhythm automatically assigns its status to New. An alarm can be changed back to a New state at any time. If you set an alarm back to a New state, the timestamps for when the alarm was set to Open and Closed are cleared. The date the alarm was generated is never cleared.
- Open. A LogRhythm user opened the new alarm. In the Client Console, users can assign a sub-status of Working or Escalated.
- Closed. The alarm is closed.
In the Client Console, users can assign a sub-status of False Alarm, Monitor, Reported, Resolved, and Unresolved.
You can use the Web Console to set the Alarm Status to Open, Closed, or New.
Alarms that have a status of New or Open are considered Unclosed when using the Alarm Status filter in the alarm filter bar.
| You can change in... | ||
|---|---|---|
| Alarm Status | Client Console: Alarm History Window | Web Console: Alarms Page |
| Open | X | X |
| Working | X | |
| Escalated | X | |
| Closed | X | X |
| Closed sub-status: False Alarm, Monitor, Reported, Resolved, and Unresolved | X | |
| New | X | X |
To update the status of individual alarms, do one of the following:
- On the top navigation bar, click Alarms.
- In the Alarm card view:
- Next to the Alarm status, click the arrow.
- Select Open, Closed, or New.
- In the Alarm grid view, do one of the following:
- Change the status from the selection bar.
- Select the check box of the alarm you want to change.
- In the Status list in the selection bar, select Open, Closed, or New.
- Change the status from the Inspector panel.
- Click anywhere in the row of the alarm you want to change.
- Click the Inspector tab to expand the Inspector panel, if necessary.
- In the Alarm Actions section, click the arrow to expand the Status list.
- Select Open, Closed, or New.
- Change the status from the selection bar.
- At the top of the Analyze page, select the status from the list.
- In the Alarm card view:
To update the status of multiple alarms at the same time, do one of the following:
- On the top navigation bar, click Alarms.
- In the Alarm card view:
- Select multiple alarms by doing one of the following:
- Select the check boxes on the alarms that you want to update.
- On the alarm toolbar, select the Check Visible check box to select all visible alarms on the page.
- From the Status list on the alarm toolbar, select Open, Closed, or New to update all of the selected alarms.
- Select multiple alarms by doing one of the following:
- In the Alarm grid view:
- Select multiple alarms by doing one of the following:
- Select the check boxes on the alarms that you want to update.
- At the upper-left of the Alarm grid, select Check All to select the first 100 alarms in the grid.
In the Status list in the selection bar, select Open, Closed, or New to update all of the selected alarms.
- Select multiple alarms by doing one of the following:
- In the Alarm card view:
To update all alarms associated with a case, do one of the following:
- On the top navigation bar, click Alarms.
- On the left side of the dashboard, click the Cases tab to open the Current Case panel. You can also open the Current Case panel by pressing C on your keyboard.
- In the evidence section, click the Change “X” alarms to list and select Open, Closed, or New to update all alarms that are associated with the case.
Alarms that are associated with a case can also be closed at the same time the case is closed. For more information, see Close Cases.