Alerts¶
In ACE an alert is a root analysis object that satisfies one of the two following conditions.
- It was submitted to ACE in
correlationanalysis mode. - It was promoted during analysis when one or more detection points were added.
Alerts show up to the analysts in the GUI for review. Analysts review the alerts and set the disposition accordingly.
Lifetime of an Alert¶
The lifetime of an alert depends on a combination of the disposition it receives and configuration settings.
- Alerts set to IGNORE are deleted entirely from the system after a number of days as defined by the
ignore_daysconfiguration option in the[global]section. - Alerts set to FALSE POSITIVE are archived after a number of days as defined by the
fp_daysconfiguration option in the[global]section.
Archived Alerts¶
Alerts that are archived have the following actions taken.
- All external files are deleted.
- All analysis details are deleted. Only the summary is left.