IM InfoSphere Identity Insight, Version 8.0

Analyzing alerts in the Visualizer

One of the most common tasks that Visualizer users perform is to evaluate alerts to decide which alerts to review and which alerts to transfer to other Visualizer groups.

Alerts display in the Alert Summary window of the Visualizer. This window is the starting point for evaluating, assigning or transferring, and reviewing alerts.

Alerts are grouped into alert summaries. Alert summaries contain all alerts of the same alert type with the same description, alert severity, status, resolution rule, relationship score, and resolution (likeness) score. One alert summary typically contains multiple individual alerts, each of which need to be reviewed and analyzed. Part of the review includes assigning a disposition to the alert, so that you and other Visualizer users know the status of the analysis and can see comments indicating your findings.

Remember, your Alert Summary window only displays the following: You do not see the alerts that other analysts in your Visualizer analyst group have assigned to themselves. Nor do you see alerts that are assigned to other Visualizer analyst groups.

Evaluating alert summaries

How do you decide which alerts to assign to yourself for analysis? Start by reviewing the alert summaries in the Alert Summary window. As you look at the alert summaries, compare the importance of the information that makes up that alert summary with your analysis goals. You might need to evaluate one or more pieces of alert information before you can decide.

Tips to Help Prioritize Alert Summaries:
  • Alert severity: Start by sorting the alert summaries by severity. Click the Alert Severity column header. This information might be enough information to help you decide which alerts are most critical or important to begin analyzing. For example, if your organization uses "C" for alerts with a critical severity, you can immediately see which alerts are critical by simply looking at their severity.
  • Alert description: Severity might not be enough information, alone. The alert description might help you choose which alerts are higher on the priority list, if there are multiple alert summaries with the same alert severity. For example, it might be more important to analyze alerts that are grouped by the "No Fly knows Passenger" description than the "Passenger knows Employee" description.
  • Likeness Score and Relationship Score: The higher the scores, the more likely it is that there is a relationship of interest or that the identity is the entity. In the "No Fly knows Passenger" example, if both the Likeness and the Relationship scores are 100, then the person on the No Fly list is the Passenger, and you might want to take immediate action. If the likeness score is less than 70 and the relationship score is less than 85, this alert might still be important, but not critical. You might still want to analyze the entities involved in the alert, but you might not need to take immediate action.
As a Visualizer user, you are familiar with your organization's goals, so you can probably add your own personal factors to use when prioritizing alerts. These tips are to get you started.

Assigning alerts

After you know which alerts you want to work on, based on priority, you can assign those alerts to yourself. Assigning alerts allows your Visualizer analyst group to divide and conquer the list of incoming alerts. When an alert is assigned to you, that alert only displays on your Alert Summary window, preventing duplicate work by another Visualizer user on the same alert. You can immediately see the alerts that you alone are currently researching.

If you see one or more alerts in your Alert Summary window that you think might belong to another Visualizer analyst group, you can transfer those alerts. For example, you work as a reservation clerk and evaluate alerts generated by new or changed reservations. You see an alert listed that security handles. You can assign that alert to the Security group, because the alert is under that group's jurisdiction.

Reviewing and dispositioning alerts

When you assign yourself one or more alerts, then you can get down to the business of researching and analyzing those alerts. The Visualizer simplifies the task in the Research window, which displays all the relevant, associated information about the alert into one window. From the Research window, you can do the following tasks as part of your analysis:
  • Review the alert details
  • Look at the entity resumes of the related entities
  • View the associated entity or alert graphs to visualize and explore the commonalities of the entities or attributes that are part of the alert
  • Add comments indicating the findings of your analysis
  • Change the status (disposition) of the alert as your analysis progresses


Feedback

Last updated: 2009