Define default alert view (admin)
The admin can define a default overview for alerts. This is displayed in the Cases page in one of the following situations:
- The alert does not have an attached playbook.
- The alert has an attached playbook with customized views per role but there is no defined view for the user's role. For more information on customized alert views, see Defining Customized Alert Views from Playbook Designer.
The view is defined from SOAR Settings > Case Data > Views > Default Alert View.
The Default Alert View displays the following widgets:
- Entities Highlights: this widget displays the highlighted fields for each entity involved in the alert. There are two ways to highlight a field.
- From the Explore page, choose the entity, select a field and click Add to highlight. The entity field is displayed in the widget.
- Navigate to SOAR Settings > Data Configuration > Properties Metadata, select a field and mark as highlighted. If the field is part of the entity, it is displayed in the widget.
- Events Table: this widget displays all alert events and their properties. Choose up to 6 fields to be displayed in the table. You can reorder the table rows. The default placeholders can be customized by clicking on the brackets on the right side of the row and choosing the appropriate placeholders. Multiple placeholders can be added in every row. In the actual display you can click any of the table rows to open up a side drawer showing more events details.
HTML: this widget lets you use HTML code for creating insights as well
as use placeholders to inject relevant information from the alerts.
When using the Video or Layout 6 presets that are included in the HTML widget, certain video sites, such as YouTube and files.fm are not supported. Sendspark can be used instead.
- Free Text: this widget lets you add free text to be displayed for the alert and playbook.
- Entities Graph: this widget provides a visual display of the relationship between the entities. It's the same display that you would see in the Explore page.
- Key Value: this widget lets you choose specific bits of information that come from various sources and display them in view. For example: Key – Product Value – [Alert.Product]
- Insights: this widget contains all the insights from the playbook insights actions, general insights, and any other insights you have added. They are presented in HTML format.
- Pending Actions: this widget lists all playbook actions waiting for user input. The analyst can now see at a glance what they need to do in order for the playbook to carry on running.
- Alert Details: this widget contains the basic details of the alert, such as the alert name, device product, alert severity, and risk score.
- Pending Actions
- Entities Highlights
The screen is presented with a default set of widgets already prepared and designed for maximum value. However, you are free to add, remove or edit the widgets as you like. The default widgets include:
- Drag a widget from the left screen into the template on the right.
- You can move around the widgets at any stage to achieve the required view.
- Click settings Configuration in the widget that is being edited.
- Edit the title, description (which is actually the tooltip) and the width (50 or 100%).
- Click Save.