Explore Alerts and Hot Stories

  • Updated on Mar 5, 2025
  • Published on May 21, 2024

Both Alerts and Hot Stories appear in your SOC Queue, which is your go-to work queue to manage and control critical security incidents. Alerts and hot stories are designed to be assigned to a team member, worked on, and resolved, much like a standard IT ticket.

Soc Queue

💡Before you continue

  • Read this article to learn more about Alerts and Hot Stories.

  • Read this article to learn which leads become alerts and why.

View Alerts and Hot Stories

To view Alerts and/or Hot Stories:

  1. From the Hunters menu, navigate to the SOC Queue page.
    image

  2. Switch between Alerts and Hot Stories using the toggle at the top of the page.
    image.png

💡 Switch to Clusters

When triaging Alerts, you can toggle between viewing alerts as separate unclustered leads or as aggregated lead clusters by turning the Cluster similar leads toggle on or off.

image

Working with threat clustering improves your efficiency and reduces time spent on triage and investigation.


Learn more about working with clusters here.

📘Multi-Tenant SOC Queue

Multi-tenant and MSSP users can view a unified SOC queue, displaying alerts from all your different tenants in one queue. The unified SOC queue minimizes context switch, allowing you to work on the highest risk incident, and not look at customers one-by-one.


Hunters tenant selection

Filter and sort the queue

📘Note

The SOC Queue is filtered by default to show only alerts in Open and WIP statuses from the last 7 days. Alerts are sorted by Risk, showing alerts with a higher risk first, while Hot Stories are sorted by Score, showing hot stories with the highest score first.

Filter

To filter the Alerts/Hot Stories in the SOC Queue use the filters above the table. You can filter according to assignee, risk, Data sources, detectors, and more.

To filter the SOC Queue:

  1. From the filters bar, click the + sign to add a new filter.

  2. Select the required filter.

  3. Select the value by which to filter the SOC Queue.

  4. Once done, click Apply.

Sort

You can sort the Alerts/Hot Stories in the SOC Queue by clicking on a sortable column header.

💡Tip

You can expand the SOC Queue results view by clicking Hide dashboard from the upper part of the page.

image.png

Create and manage tabs

⚠️Attention

Using tabs is contigent on your assigned role.


Learn more here.

Tabs allow you to personalize your incident management experience by tailoring your SOC Queue view with saved preferences to display only data that is relevant to you and to your team's internal processes. This will guarantee alignment and unified operation across team members.

The SOC Queue opens with two pinned default tabs:

  • Open Alerts - Displaying alerts in status Open or WIP.

  • My Alerts - Displaying alerts in status Open or WIP that are assigned to me.

Create a new tab

To create a new tab:

  1. Click the icon from the tabs bar and then click + Create New Tab.

  2. Name your new tab.

  3. Filter and sort the queue items and click Apply to see the results of the selected filters.

  4. Click Save as default to save the tab.

Share a tab

Once your tab is created you can share it with other team members.

To share a tab:

  1. Click the options icon of the tab you want to share and then click Share Tab.

    A confirmation message opens.

  2. Click Share Tab to approve the action.

    Your tab is now shared and other team members can add it to their SOC Queue.

Add a shared tab

You can browse a list of shared tabs which other team members created and shared, and decide whether to add them to your SOC Queue tabs.

  1. Click the icon from the tabs bar and then click Shared Tabs.


    The Shared Tabs window opens, showing all tabs shared by your team members.

  2. Locate the tab you want to add to your queue and click Add Tab.

    You’ll now see this tab in your SOC Queue.

💡Tip

You can distinguish between a shared tab and a personal tab through the shared tab icon.

Edit a tab

Tab editing is separated into two scenarios:

  • Editing a shared tab - Editing a shared tab is allowed only to permitted users and affects all users who have added the tab to their SOC Queue.

  • Editing a personal tab - Editing a personal tab affects your personal view alone.

💡Tip

You can rename a shared or personal tab, based on your permission level.

To edit a tab:

  1. Change the filtering options of the tab.

  2. Once done, click Apply to see the results of the selected filters.

  3. Click Save as default to save the changes.

💡Tip

If you want to edit a shared tab but don’t have the relevant permissions, you can duplicate the shared tab and make the changes to the duplicated instance.

Remove/delete a tab

It’s important to understand the difference between removing and deleting a tab:

  • Removing a tab - Available only if the tab is a shared tab that was added to your SOC Queue. Removing a tab only removes it from your view, but it will continue to be available to other team members. You can re-add the tab whenever you need it again.

  • Deleting a tab - Available for your personal tabs or for shared tabs if you have the relevant permission.

To remove/delete a tab:

Click the options icon of the tab you want to remove/delete and then click Remove Tab or Delete Tab.

Manage shared tabs

With the proper permissions, you can manage your team’s shared tabs in one place - the Shared Tabs window.

Use the Shared Tabs window to:

Action

How

Keep track of your team’s list of shared tabs.

Learn who edited the shared tabs and when.

Add shared tabs to your SOC Queue.

Rename shared tabs.

Delete shared tabs.