---
title: Manage detection alerts
description: Filter, triage, and take actions on detection alerts from the Alerts page.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/manage-detection-alerts
products:
- Elastic Cloud Serverless
- Elastic Security
applies_to:
- Serverless Security projects: Generally available
- Elastic Stack: Generally available
---
# Manage detection alerts
The Alerts page is your central hub for triaging and investigating detection alerts. Filter alerts to focus on what matters, change statuses to track progress, and take actions to investigate or respond.
A skill is available to help AI agents with this topic.
## Quick reference
| Task | How to do it |
|-------------------------|-------------------------------------------------------------------------------------------|
| View alert details | Click the **View details** icon `expand` in the Alerts table |
| Filter by rule | Use KQL: `kibana.alert.rule.name: "Rule Name"` |
| Filter by time | Use the date/time picker (default: last 24 hours) |
| Change alert status | Click the **More actions** icon `boxes_horizontal` > select status, or use bulk selection |
| Add to case | Click the **More actions** icon `boxes_horizontal` > **Add to case** |
| Investigate in Timeline | Click **Investigate in timeline** icon `timeline` |
| Add exception | Click the **More actions** icon `boxes_horizontal` > **Add exception** |
## Filter alerts
| Filter method | Description |
|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| KQL search | Enter queries like `kibana.alert.rule.name: "SSH from the Internet"`. Autocomplete is available for `.alerts-security.alerts-*` indices. |
| Date/time picker | Set a specific time range (default: last 24 hours). |
| Drop-down controls | Filter by status, severity, user, host, or [custom fields](#drop-down-filter-controls). |
| Additional filters | Include [building block alerts](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/about-building-block-rules) or show only indicator match rule alerts. |
| Visualization section | Group and visualize alerts by field. Refer to [Visualize detection alerts](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/visualize-detection-alerts). |
### Inline actions
Hover over any value in the Alerts table to see inline actions. Click the expand icon for more options:
| Action | Description |
|-------------------|---------------------------------------------------|
| Filter for value | Add the value as a filter |
| Filter out value | Exclude the value |
| Show top *x* | View most common values |
| Add to timeline | Add the field value to Timeline for investigation |
| Copy to clipboard | Copy the value |
### View rule-specific alerts
Go to **Rules** > **Detection rules (SIEM)**, then select a rule name. The rule details page shows all alerts from that rule, including alerts from previous rule revisions.
## Edit drop-down filter controls
Customize the filter controls above the Alerts table. By default, you can filter by **Status**, **Severity**, **User**, and **Host**.
| Action | How to do it |
|---------------|---------------------------------------------------------------|
| Edit controls | Click `boxes_horizontal` next to controls > **Edit Controls** |
| Reorder | Drag controls by their handle |
| Remove | Hover over control > click **Remove control** |
| Add | Click **Add Controls** (maximum 4) |
| Save changes | Click **Save pending changes** |
- The **Status** control cannot be removed.
- Changes are saved in your browser's local storage, not your user profile.
## Group alerts
Group alerts by up to three fields, such as rule name, host, user, source IP, or custom fields. Groups nest in the order you select them.
| Action | How to do it |
|----------------------|----------------------------------------------|
| Group alerts | Click **Group alerts by** > select field(s) |
| Expand a group | Click the group name or expand icon |
| Bulk action on group | Click **Take actions** menu on the group row |
## Customize the Alerts table
### Toolbar options
| Button | Function |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Columns | Reorder columns |
| Sort fields | Sort by one or more columns |
| Fields | Add or remove fields (including [runtime fields](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/get-started/create-runtime-fields-in-elastic-security)) |
| Full screen | Expand table to full screen |
### View modes
| Mode | Description |
|---------------------|------------------------------------------------------------------------------------------------------------------------------|
| Grid view | Traditional table with columns for each field. Click the expand icon in the **Reason** column to see rendered alert details. |
| Event rendered view | Descriptive event flow showing relevant context. |
## Take actions on an alert
Access actions from the **More actions** (**…**) menu in the Alerts table, or from **Take action** in the alert details flyout.
| Action | Description |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
| [Change status](#detection-alert-status) | Mark as open, acknowledged, or closed |
| [Add to case](https://www.elastic.co/elastic/docs-builder/docs/3016/explore-analyze/cases/attach-objects-to-cases) | Attach alert to a new or existing case |
| Elastic Stack: Planned Elastic Cloud Serverless: Generally available [Run a workflow from an alert](#run-workflow-from-alert) | Run an Elastic workflow for on-demand response or investigation |
| [Add rule exception](#add-exception-from-alerts) | Prevent rule from generating similar alerts |
| [Add Elastic Endpoint exception](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/add-manage-exceptions#endpoint-rule-exceptions) | Prevent Elastic Endpoint alerts for specific conditions |
| [Apply alert tags](#apply-alert-tags) | Categorize alerts for filtering |
| [Assign users](#assign-users-to-alerts) | Assign analysts to investigate |
| [Investigate in Timeline](#signals-to-timelines) | Open alert in Timeline for analysis |
| [Analyze process tree](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/investigate/visual-event-analyzer) | Visualize process relationships |
| [Isolate host](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/endpoint-response-actions/isolate-host) | Isolate the alert's host from the network |
| [Run Osquery](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/investigate/run-osquery-from-alerts) | Query the host for additional context |
| [Response actions](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/endpoint-response-actions) | Execute response actions on the host |
### Change alert status
Alert statuses track investigation progress:
| Status | Meaning |
|--------------|------------------------------------|
| Open | Needs investigation (default view) |
| Acknowledged | Under active investigation |
| Closed | Resolved |
**To change status:**
| Scope | How to do it |
|-----------------|----------------------------------------------------------|
| Single alert | **More actions** icon `boxes_horizontal` > select status |
| Multiple alerts | Select alerts > **Selected *x* alerts** > select status |
| Grouped alerts | **Take actions** menu on group row > select status |
| From flyout | **Take action** > select status |
#### Closing reasons
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Generally available since 9.2
When closing alerts, you can specify a reason:
| Reason | Use when |
|----------------------|---------------------------------------------|
| Close without reason | No specific categorization needed |
| Duplicate | Alert duplicates another alert |
| False positive | Normal activity, not a security issue |
| True positive | Real incident that's been resolved |
| Benign positive | Real activity but acceptable/not actionable |
| Other | Other reasons |
You can add your own closing reason options by updating the `securitySolution:alertCloseReasons` advanced setting. Refer to [Add custom alert closing reasons](/elastic/docs-builder/docs/3016/solutions/security/get-started/configure-advanced-settings#custom-alert-closing-reasons) for more information.
The closing reason is stored in `kibana.alert.workflow_reason` and can be used for filtering. Reopening an alert removes this field.
### Run a workflow from an alert
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Planned
You can run an [Elastic workflow](https://www.elastic.co/elastic/docs-builder/docs/3016/explore-analyze/workflows) directly from an alert to trigger an on-demand response or investigation. To use this feature, make sure you meet the [workflows prerequisites](/elastic/docs-builder/docs/3016/explore-analyze/workflows/get-started#workflows-prerequisites).
To run a workflow on an individual alert, do one of the following:
- In the Alerts table, click **More actions** (`boxes_vertical`) in an alert's row, then click **Run workflow**. Use the search bar to select a workflow, then click **Run workflow**.
- In an alert's details flyout, click **Take action → Run workflow**. Use the search bar to select a workflow, then click **Run workflow**.
You can select only enabled workflows.
To run a workflow on multiple alerts, select the alerts, then click **Selected *x* alerts** at the upper-left above the table. Click **Run workflow**, select a workflow, then click **Run workflow**.
### Apply alert tags
Tags help organize alerts into filterable categories.
| Task | How to do it |
|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| Tag single alert | **More actions** icon `boxes_horizontal` > **Apply alert tags** |
| Tag multiple alerts | Select alerts > **Selected *x* alerts** > **Apply alert tags** |
| Tag from flyout | **Take action** > **Apply alert tags** |
| Filter by tag | KQL: `kibana.alert.workflow_tags: "False Positive"` |
| Show tags column | **Fields** > add `kibana.alert.workflow_tags` |
| Manage tag options | [Configure `securitySolution:alertTags`](/elastic/docs-builder/docs/3016/solutions/security/get-started/configure-advanced-settings#manage-alert-tags) |
### Assign users to alerts
Assign analysts to alerts they should investigate.
Users are not notified when assigned or unassigned.
| Task | How to do it |
|---------------------------|----------------------------------------------------------------------------|
| Assign to single alert | **More actions** icon `boxes_horizontal` > **Assign alert** > select users |
| Assign to multiple alerts | Select alerts > **Selected *x* alerts** > **Assign alert** |
| Assign from flyout | **Take action** > **Assign alert**, or click the assign icon at top |
| Unassign all users | **More actions** icon `boxes_horizontal` > **Unassign alert** |
| Show assignees column | **Fields** > add `kibana.alert.workflow_assignee_ids` |
| Filter by assignee | Click **Assignees** filter above table |
### Add rule exception
Create an [exception](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/rule-exceptions) to prevent a rule from generating similar alerts.
| Location | How to do it |
|----------------------|--------------------------------------------------------------|
| Alerts table | **More actions** icon `boxes_horizontal` > **Add exception** |
| Alert details flyout | **Take action** > **Add rule exception** |
### Investigate in Timeline
| Scope | How to do it |
|-----------------|-----------------------------------------------------------------------------------------------------|
| Single alert | Click **Investigate in timeline** button in table, or **Take action** > **Investigate in timeline** |
| Multiple alerts | Select alerts (up to 2,000) > **Selected *x* alerts** > **Investigate in timeline** |
For [threshold rule](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/using-the-rule-ui) alerts, Timeline shows all matching events, not only those that crossed the threshold.
If the rule uses a Timeline template, dropzone query values are replaced with the alert's actual field values.
## Clean up alerts
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Preview from 9.1 to 9.3
Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](/elastic/docs-builder/docs/3016/explore-analyze/alerting/alerts/view-alerts#clean-up-alerts), which deletes alerts according to the criteria that you define.