Analyzing Event Notifications

Event notifications are the task list comprising the analyst's daily workflow, flagging important events that fit precise risk criteria for further analysis.

Right-click an event notification to Send to Object Details Viewer, Open in new viewer widget, or Send to another View.

Drag event notifications into the following common analytical widgets to invoke their corresponding functions:

• The Object Details Viewer widget allows the user two choices:
  • View the notification's detail and modify the assignee, status, priority, and addition tags.
  • View the detail of the event that is associated with the notification.
  • View a count and link to any collections that contain the event as an item.
• The Collections widget triggers the creation of a collection, or adds the dragged event into an existing collection.
• The Collection Details widget adds the event notification to the collection that is loaded onto the widget.
• The Map widget displays geo data (both markers and polygons) that is available for the event.
• The Link Analysis widget attempts to render any linked entities and associated links.
• The Drilldown widget displays the drilldown hierarchy of pattern solutions and output events that ultimately resulted in the publishing of the dragged event if this data is available from Authoring / HCEP.
• The Event History widget renders the history of an event (if any) in a table.
• The Risk History widget displays the history of an event's risk (if any) on a timeline chart.

Assumptions

This guide assumes your data has a risk_score, and that event notification settings have been configured.

If your data does not use a risk_range score, refer to the guide for the Events Stream widget.

Working With Event Notifications

Two widgets are used to access event notifications. The widget selected from the following list determines the form of analysis:

1. The Notifications Widget
2. The Notifications Explorer Widget

Instructions for "Notifications Widgets" in this guide can be taken to apply to both the Notification widget and the Notifications Explorer widget unless explicitly indicated.

Using Notification Explorer Widgets

The Notifications Explorer widget is similar to the Notifications widget, but is not constrained to a time window. Both show up to 100 event notifications, and each can be filtered to find specific entries. Each notification is color-coded based on the event notification's notification tag.

Using Notifications Widgets

Notifications widgets display a real-time feed of incoming and recently updated notifications, based on a user-defined window of time. Up to 100 notifications that fit the criteria are shown. Once the notifications widget is added to a view, it is possible to apply filters, sort notifications, and dig deeper into the event and any underlying triggers.

Sorting and Filtering Notifications

Notification sorting is the first step toward narrowing down results from the event notifications widget.

To sort notifications:

1. From a working view, at the top of the event notifications or notifications explorer widget, click the filters dropdown icon.

2. Select the filter and filtration method.

   
   

   Filters for the Notifications widget include:

   Filter	Description
   Sort By	Sort the notifications on this widget by the last created/updated date, priority, risk score, or tag order priority.
   Tags	Pick or search for a specific notification or system tags to filter by.
   Users	Pick or search for a specific user (that are assigned to notifications) to filter by.
   Time Window	Pick a pre-defined time window to filter notification created at or updated at timestamps by.

   
   

   Filters for the Notifications Explorer widget include:

   Filter	Description
   Filter	Select filtration from among time-based fields.
   Date	Select from a pre-defined time period.
   Sort by	Filter by last created/uploaded/occurred at dates, priority, risk score, tag order, or assigned user.
   Tags	Filter by either notification or system tags.
   Users	Display event notifications based on the specified user assigned to them.
   Status	Filters notifications by ingestion status: Active, Dismissed, or Archived.
   Priority	Filters by the notification's designated priority.
   Text Search	Allows text string matching within an event notification's data fields.

3. Click Apply Filters to apply all the selected filters, or Reset to Defaults to discard the filters.

Pinning Event Notifications

A notification disappears if it no longer fits the criteria of the event notification settings, or if it falls outside of the defined timeframe. Event notifications can be pinned to prevent them from vanishing from the list of event notifications.

Note

Pinning notifications only applies to the event notifications widget.

To pin a notification:

1. From a working view, at the top of the event notifications widget, each event is listed.
2. At the right side of any event, click the pin icon to pin the event notification.
3. Click the pin icon again to unpin the event notification.

Event Notification Time Charts

The event notifications widget contains a timeline representing the quantity of notifications generated for the associated time window.

To toggle Time Chart Mode:

1. At the upper left of the event notifications widget, a circle displays a count of notifications the widget has received.
2. Click the circle icon to toggle the timeline plotted value between:
   1. Tag, which plots lines segmented by the notification tag.
   2. Risk history, which plots lines segmented by risk level (low, medium, high, critical).
   3. User, which plots lines segmented by assigned user (the notification needs to be assigned to a user first).
   4. Priority, which plots segmented by the notification priority.