Linking events to alerts

If during the investigation you found an event that is related to the alert being investigated, you can link this event to the alert manually.

You can link an event to an alert that has any status other than Closed.

To link an event to an alert:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. In the list of alerts, click the link with the ID of the alert to which you want to link the event.

   The Alert details window opens.

3. Go to the Details section, and then click the Find in Threat hunting button.

   The Threat hunting section opens. By default, the event table contains events related to the selected alert.

   The event table contains only events related to tenants that you have access to.

4. In the upper part of the window, open the first drop-down list, and then select Storage.
5. Open the third drop-down list, and then specify the time range.

   You can select predefined ranges relative to the current date and time, specify a custom range by using the Range start and Range end fields, or by selecting dates in the calendar.

6. Click the Run query button.
7. In the updated list of events, select an event that you want to link to the alert, and then click Link to alert.

The selected events are linked to the alert.