Recommendations for processing IDS alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, select Find similar alerts by host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name or IP address from the alert you are working on is highlighted in yellow.
• Under Qualifying, select Find similar alerts by URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL. The URL from the alert you are working on is highlighted in yellow.
• Under Qualifying, select Add to exclusions.

  This opens the Add IDS rule to exclusions window. If you want to add an IDS rule that was used to create the alert to exclusions, enter a comment in the Description field and click Add.

  The IDS rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the IDS exclusions tab in the application web interface.

• Under Investigation, select Find similar events by URL. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the URI from the alert you are working on.
• Under Investigation, select Find similar events by host name. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the RemoteIP from the alert you are working on.
• In the Investigation section, click Download IDS artifact to download the file with alert data.
• In the Investigation section, click Download PCAP file to download the file with intercepted traffic data.