Help Center> SecMaster> User Guide (ME-Abu Dhabi Region)> Threat Operations> Alert Management> Importing and Exporting Alerts
Updated on 2023-10-31 GMT+08:00
View PDF

Importing and Exporting Alerts

This section describes how to import and export alerts.

Limitations and Constraints

Only .xlsx files no larger than 20 MB can be imported.

Importing Alerts

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Management

  4. In the navigation pane on the left, choose Threat Operations > Alerts.

    Figure 2 Alerts

  5. On the Alerts page, click Import in the upper left corner of the list.
  6. In the displayed Import dialog box, click Download Template to download a template, and fill in the downloaded template according to the requirements.
  7. After the alert file is ready, click Select File in the Import dialog box, and select the Excel file you want to import.

    • Fill in information about alerts to be imported based on the template. For details, see Alert Template Parameters.
    • The file must be in the .xlsx format.

  8. Click OK.

Alert Template Parameters

Import alerts based on the template requirements. For details about the parameters, see Table 1.

Table 1 Parameters in the alert template

Parameter

Type

Mandatory

Description

extend_properties

Object

No

Extended attribute.

ttr

Int

No

Response time.

ttd

Int

No

Detection Time.

ref_order_id

String

No

Service ID (work order ID). The value contains a maximum of 128 characters.

origin_id

String

No

Original ID of the alert. The value contains a maximum of 128 characters.

file_info

list<object>

No

File information.

user_info

list<object>

No

User information.

process

list<object>

No

Processes information.

network_list

List[Object]

No

Network information.

resource_list

List[Object]

No

Assets are affected.

system_info

object

No

System information.

alert_type

Object

Yes

Alert type. Example:

{"id":"demo","alert_type":"demo"}

malware

Object

No

Malware.

remediation

Object

No

Remediation measures.

environment

Object

Yes

Coordinates of the environment where the alert is generated.

data_source

Object

Yes

Data source. Example:

{"domain_id":"demo","product_feature":"demo","project_id":"demo","product_module":"demo","company_name":"demo","region_id":"demo","source_type":-827196037,"product_name":"demo"}

workspace_id

String

Yes

ID of the workspace to which the alert object belongs.

is_deleted

Boolean

No

Whether to delete the alert.

arrive_time

Timestamp

Yes

Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was received. If this parameter cannot be parsed, the default time zone GMT+8 is used.

source_url

String

No

Alarm URL, which points to the page of the current incident description in the data source product.

description

String

Yes

Alert description. The value contains a maximum of 1,024 characters.

sla

Int

No

SLA for closing the incident, in hours.

ipdrr_phase

String

No

Period/Phase number.

actor

String

No

Investigator

close_reason

String

No

Closure reason.

  • False detection
  • Resolved
  • Repeated
  • Other

close_comment

String

No

Comment for the closure.

create_time

Timestamp

Yes

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was recorded. If this parameter cannot be parsed, the default time zone GMT+8 is used.

close_time

Timestamp

No

Closing time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was disabled. If this parameter cannot be parsed, the default time zone GMT+8 is used.

update_time

Timestamp

No

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was updated. If this parameter cannot be parsed, the default time zone GMT+8 is used.

severity

String

Yes

Alert severity. The value can be:

  • Tips: No threat is found.
  • Low: No operation is required for the threat.
  • Medium: The threat needs to be handled but is not urgent.
  • High: The threat must be handled preferentially.
  • Fatal: The threat must be handled immediately to prevent further damage.

confidence

Int

No

Alert confidence. Confidence is used to illustrate the accuracy of an identified behavior or event.

Value range: 0–100

  • 0: The incident confidence is 0%.
  • 100: The alert confidence is 100%.

criticality

Int

No

Criticality refers to the importance level of the resources involved in an alarm.

Value range: 0-100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

count

Int

Yes

Number of alert occurrences.

handle_status

String

Yes

Alert processing status. The value can be:

  • Open: enabled.
  • Block: blocked
  • Closed: disabled.

The default value is Open.

first_observed_time

Timestamp

Yes

First alert occurrence time, in the ISO 8601 format of "YYYY-MM DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was generated. If this parameter cannot be parsed, the default time zone GMT+8 is used.

last_observed_time

Timestamp

No

Latest alert occurrence time, in the format of "ISO8601: YYYY-MM-DDTHH:mm:ss.ms+timezone". Time zone refers to where the alert was generated. If this parameter cannot be parsed, the default time zone GMT+8 is used.

creator

String

No

Creator.

verification_state

String

Yes

Verification status. It indicates the accuracy of an alert. The value can be:

  • Unknown: The status is unknown.
  • True_Positive: The status is confirmed.
  • False_Positive: The status is false positive.

The default value is Unknown.

id

String

Yes

Unique identifier of an alert. The value is in the UUID format and contains a maximum of 36 characters.

version

String

Yes

Version of the alert object.

domain_id

String

Yes

Domain ID of the tenant to which the alert object belongs.

title

String

Yes

Alert name. The value contains a maximum of 255 characters.

region_id

String

Yes

Region ID of the tenant to which the alert object belongs.

simulation

Boolean

No

Debugging field.

owner

String

No

Owner and service owner.

labels

String

No

Labels.

Exporting Alerts

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 3 Management

  4. In the navigation pane on the left, choose Threat Operations > Alerts.

    Figure 4 Alerts

  5. In the alert list, select the alerts you want to export and click in the upper right corner of the list.
  6. In the Export dialog box, set parameters.

    Table 2 Exporting alerts

    Parameter

    Description

    Format

    By default, the alert list is exported into an Excel.

    Columns

    Select the indicator parameters to be exported.

  7. Click OK.

    The system automatically downloads the Excel to your local PC.

Parent topic: Alert Management