Skip to main content

Articles in this section

See more
Print

Threat detection: How to triage threat alerts

  • Updated

Threat detection: How to triage threat alerts

This article provides guidance on managing threat alerts within your environment using Cayosoft Guardian.

Threat Detection feature comprises several key components:

  • Dashboard: Offers a comprehensive overview of threat activities, including recent alerts, their statuses, and remediation progress.
  • Threat Alerts: Displays a list of detected threats, allowing users to view details, filter, export, and manage alerts.
  • Threat Definitions: Contains the criteria and rules that define what constitutes a threat, enabling customization and management of detection parameters.
  • Jobs: Displays all configured and executed jobs related to threat detection, including scheduled scans and summary report generation.
  • Reports: Provides access to all generated threat detection reports, including summary reports and alert exports. Users can filter, search, download, and export reports in various formats such as HTML and CSV

To detect issues and raise threat alerts, initiate a threat detection job.

Threat Alert states

Each threat alert progresses through various states:

  • Open: The default state when an alert is generated.
  • Resolved: Indicates that the issue has been addressed and fixed in the connected managed system.
  • Dismissed: Used when the issue is acknowledged but deemed not to require action, or if it no longer exists in the environment.


 

How to filter and export threat alerts

The Threat Alerts interface in Cayosoft Guardian includes dynamic filtering and export capabilities to help users quickly locate and extract relevant threat data for review, reporting, or remediation planning.

Users can narrow down the list of threat alerts using a combination of:

  • All open threat alerts – Quickly toggle between alert views such as "All open", "All dismissed", or "All alerts" to limit the scope of what’s displayed.
  • Search – Use the keyword search to filter alerts by matching terms in fields like the alert title, object name, or definition.
  • When – Filter alerts based on the date and time they were detected. This is useful for viewing alerts raised within a specific time frame.
  • Severity - Filters alerts by threat severity level. For more information, see Defining threat detection.
  • Remediation complexity – Filter by effort level required to remediate. For more information, see Defining threat detection.
  • Status – Filter alerts by current state (Active, Resolved, Dismissed).
  • Time – Filter by detection date.
  • More filters (⋯) – Click to open additional filters:
    • Subject – Filter by the account or identity that initiated the threat-related action.
    • Where – Filter by the system path or organizational unit affected (e.g., cayo.com/Users).
    • Threat Definition – Filter by the specific rule or detection logic that triggered the alert.
    • Object Type – Filter based on the type of object impacted (e.g., user, group).
    • What – Filter by the name or label of the affected object.
    • Advanced – Opens further filtering options.

The Export button allows users to download the currently visible (filtered) set of threat alerts. This feature supports exporting alerts in HTML, CSV, JSON formats.

All filters can be used in combination, and results update in real time as users apply or clear criteria.

How to resolve threat alerts

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select Threat Alerts.
  4. Select an alert to be resolved.
  5. Double click or click Properties.
  6. Click Remediate.Click Resolve alert and the pop-up Resolve threat appear.
  7. Follow Remediation advice to resolve an issue in your environment.
  8. Click OK to confirm that the issue has been resolved.

How to dismiss a threat alert

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select Threat Alerts.
  4. Select an alert to be dismissed.
  5. Double click or click Properties.
  6. Click Dismiss.

  7. Click Yes to confirm.

    NOTE: Properties will be disabled if more than 1 alert is selected

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select Threat Alerts.
  4. Select alerts to be dismissed.
  5. Click on the Dismiss drop down and choose Dismiss all.
  6. Click Yes to confirm.

IMPORTANT: Dismissed threats may reappear if the underlying issue has not been resolved or the threat has not been excluded. To prevent recurrence, either resolve the threat or configure an exclusion. For more information, see How to exclude multiple threat alerts.

How to exclude multiple threat alerts

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select Threat Alerts.
  4. Click on the filter icon and choose a saved query, or alternatively, create your own filter based upon your needs.
  5. Select the alerts you wish to exclude from the list.
  6. Click Exclude.

  7. Once you click the Exclude icon, you will be presented with an overview screen that will ask if you want to mark the threat alerts as resolved. Click Yes to confirm.

    NOTE: Excluding alerts does not remediate the alert.

How to add an object reported by a threat alert to an exclusion list

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select Threat Alerts.
  4. Select an alert to be resolved.
  5. Double click or click Properties.
  6. Scroll to the bottom.
  7. Select
    1. Resolved
    2. Add target object to exclusion list
  8. Click OK to confirm.

How to dismiss all related alerts

  1. Open the Cayosoft Guardian web portal.

  2. Expand the Threat Detection node.

  3. Select the Threat Definitions node.

  4. Select a threat definition to be disabled and double click or click Properties.

  5. Open the Threat Alerts tab.

  6. To select all alerts, click the circle that is shown when hovering.

  7. Click Dismiss or Dismiss all to dismiss all alerts.

  8. Confirm the selection by clicking Yes.

How to disable threat definition

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select the Threat Definitions node.
  4. Select a threat definition to be disabled and double-click or click Properties.
  5. Open the Threat Alerts tab.
  6. Click Disable.
  7. Confirm the selection by clicking Yes.

How to enable threat definition

  1. Open the Cayosoft Guardian web portal.
  2. Expand the Threat Detection node.
  3. Select the Threat Definitions node.
  4. Select a threat definition to be enabled and double click or click Properties.
  5. Open the Threat Alerts tab.
  6. Click Enable.
  7. Confirm the selection by clicking Yes.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.