One of the most common tasks that Visualizer users perform
is to evaluate alerts to decide which alerts to review and which alerts
to transfer to other Visualizer groups.
Alerts display in the Alert Summary window
of the Visualizer. This window is the starting point for evaluating,
assigning or transferring, and reviewing alerts.
Alerts are grouped into alert summaries. Alert summaries contain
all alerts of the same alert type with the same description, alert
severity, status, resolution rule, relationship score, and resolution
(likeness) score. One alert summary typically contains multiple individual
alerts, each of which need to be reviewed and analyzed. Part of the
review includes assigning a disposition to the alert, so that you
and other Visualizer users know the status of the analysis and can
see comments indicating your findings.
Remember, your
Alert Summary window only
displays the following:
- Alert summaries for your Visualizer analyst group that contain
unassigned alerts
- Alerts that you have already assigned to yourself
You do not see the alerts that other analysts in your Visualizer
analyst group have assigned to themselves. Nor do you see alerts that
are assigned to other Visualizer analyst groups.
Evaluating alert summaries
How do you decide
which alerts to assign to yourself for analysis? Start by reviewing
the alert summaries in the Alert Summary window.
As you look at the alert summaries, compare the importance of the
information that makes up that alert summary with your analysis goals.
You might need to evaluate one or more pieces of alert information
before you can decide.
Tips to Help Prioritize Alert Summaries:- Alert severity: Start by sorting the alert summaries by
severity. Click the Alert Severity column header. This
information might be enough information to help you decide which alerts
are most critical or important to begin analyzing. For example, if
your organization uses "C" for alerts with a critical severity, you
can immediately see which alerts are critical by simply looking at
their severity.
- Alert description: Severity might not be enough information,
alone. The alert description might help you choose which alerts are
higher on the priority list, if there are multiple alert summaries
with the same alert severity. For example, it might be more important
to analyze alerts that are grouped by the "No Fly knows Passenger"
description than the "Passenger knows Employee" description.
- Likeness Score and Relationship Score: The higher the scores,
the more likely it is that there is a relationship of interest or
that the identity is the entity. In the "No Fly knows Passenger" example,
if both the Likeness and the Relationship scores are 100, then the
person on the No Fly list is the Passenger, and you might want to
take immediate action. If the likeness score is less than 70 and the
relationship score is less than 85, this alert might still be important,
but not critical. You might still want to analyze the entities involved
in the alert, but you might not need to take immediate action.
As a Visualizer user, you are familiar with your organization's
goals, so you can probably add your own personal factors to use when
prioritizing alerts. These tips are to get you started.
Assigning alerts
After you know which alerts
you want to work on, based on priority, you can assign those alerts
to yourself. Assigning alerts allows your Visualizer analyst group
to divide and conquer the list of incoming alerts. When an alert is
assigned to you, that alert only displays on your Alert Summary window,
preventing duplicate work by another Visualizer user on the same alert.
You can immediately see the alerts that you alone are currently researching.
If
you see one or more alerts in your Alert Summary window that you think might
belong to another Visualizer analyst group, you can transfer those
alerts. For example, you work as a reservation clerk and evaluate
alerts generated by new or changed reservations. You see an alert
listed that security handles. You can assign that alert to the Security
group, because the alert is under that group's jurisdiction.
Reviewing and dispositioning alerts
When
you assign yourself one or more alerts, then you can get down to the
business of researching and analyzing those alerts. The Visualizer
simplifies the task in the Research window, which displays all the
relevant, associated information about the alert into one window.
From the Research window, you can do the following tasks as part of
your analysis:
- Review the alert details
- Look at the entity resumes of the related entities
- View the associated entity or alert graphs to visualize and explore
the commonalities of the entities or attributes that are part of the
alert
- Add comments indicating the findings of your analysis
- Change the status (disposition) of the alert as your analysis
progresses