In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
Under Qualifying, select Find related alerts by host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Update source column. The host name or IP address from the alert you are working on is highlighted in yellow.
Under Qualifying, select Find related alerts by URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL. The URL from the alert you are working on is highlighted in yellow.
Under Qualifying, select Add to exceptions.
This opens the Add IDS rule to exceptions window. If you want to add an IDS rule that was used to create the alert to exclusions, enter a comment in the Description field and click Add server.
The IDS rule is added to exclusions and is displayed in the exclusion list in the Program settings section, White lists subsection on the IDS exceptions in the program web interface.
Under Investigation, select Find related events by URL. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the URI from the alert you are working on.
Under Investigation, select Find related events by host name. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the RemoteIP from the alert you are working on.
In the Investigation section, click Download IDS artifact to download the file with alert data.
In the Investigation section, click Download PCAP file to download the file with intercepted traffic data.