Tripwire Alerts¶
All tripwire alerts – both test and real – will appear in the NodeZero Portal under Tripwires > Tripwire Alerts.
Test alerts are clearly labeled as such in the Portal, email notifications, and webhook events.
Alert Contents¶
Any potentially malicious activity that NodeZero detects on a tripwire will trigger an alert. Each alert includes detailed information about:
- The actor involved.
- The specific activity detected.
- Relevant tripwire details to assist incident responders in taking swift and informed action.
If there are any unread alerts, a red dot will appear next to Tripwires in the top navigation and Alerts in the sub-navigation. You can mark an alert as read by clicking the Mark as Read button on each individual alert.
Timestamp Offsets¶
While NodeZero generates an alert as soon as it detects activity on a tripwire, there may be a slight difference between the Tripped On timestamp and the alert timestamp. This is due to the multiple detection methods NodeZero uses, some of which may take a bit more time.
Consolidated Alerts¶
NodeZero will generate one alert per tripwire per asset, even if an attacker takes multiple actions on the same tripwire in a short period. This is designed to reduce alert noise, and to avoid overwhelming your team with redundant notifications.