Skip to content
Vulnity Vulnity Docs

Alerts

The Alerts section shows all alerts generated by domains connected to the SIEM.

By default, new alerts appear under “Open”. As they are handled, they can move to “In progress” or “Resolved”, which keeps the status and evolution of each incident clear.

Alert management interface

The Alert Management panel is where each detected alert is analyzed and managed.

Inside this panel you can perform these actions:

Alert management panel actions

  • Change the alert title: rename it for more precise identification. If unchanged, the default title is kept.
  • Change alert status: select Open, In progress, or Resolved according to incident-handling progress.
  • Assign owner: change the assigned person and keep a record of who handled or resolved the alert.
  • General information: view technical details such as the affected domain, attacker IP, and full payload, where all event data can be inspected.

Example alert payload

Section titled “Example alert payload”
{
  "schema_version": "1.0",
  "event_version": "1.0",
  "event_uuid": "dce1076e-b472-4ce8-b960-6c389169a364",
  "site_id": "1064b1e1-7916-4d13-9cbd-ab86f6fb55ea",
  "domain": "http://localhost/wordpress/",
  "event_type": "suspicious_query",
  "severity": "critical",
  "occurred_at": "2025-10-13T14:17:35.009+00:00",
  "detected_at": "2025-10-13T14:17:35.009+00:00",
  "dedup_key": "1064b1e1-7916-4d13-9cbd-ab86f6fb55ea_suspicious_query_1760365055060",
  "summary": "Suspicious Query Detected: Code Execution",
  "description": "Code Execution attack attempt detected from IP 127.0.0.1 with 2 suspicious pattern(s)",
  "metrics": {},
  "source": {},
  "details": {
    "referrer": "None",
    "timestamp": "2025-10-13 14:17:33",
    "ip_address": "72.129.237.221",
    "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
    "attack_type": "Code Execution",
    "request_uri": "/wordpress/wp-login.php?loggedout=system(%22whoami%22)",
    "request_method": "GET",
    "suspicious_patterns": [
      {
        "type": "GET",
        "value": "system(\"whoami\")",
        "pattern": "system\\s*\\(",
        "parameter": "loggedout"
      },
      {
        "type": "URI",
        "value": "/wordpress/wp-login.php?loggedout=system(%22whoami%22)",
        "pattern": "system\\s*\\(",
        "parameter": "REQUEST_URI"
      }
    ]
  },
  "remediation": {
    "steps": [
      "Review alert details",
      "Take appropriate security measures"
    ],
    "summary": "Review and block suspicious database queries"
  },
  "ui": {
    "icon": "🗃️",
    "color": "#dc2626",
    "group": "Database"
  },
  "trace": {},
  "created_at": "2025-10-13T14:17:35.103978+00:00",
  "last_seen_at": "2025-10-13T14:17:35.103978+00:00",
  "id": "dce1076e-b472-4ce8-b960-6c389169a364",
  "count": 1,
  "status": "open",
  "resolved_at": null,
  "acknowledged_at": null,
  "resolved_by": null
}

Mitigation

Section titled “Mitigation”

In Mitigation, you will find a quick-action button that lets you block the IP responsible for the alert directly, enabling immediate response to attack attempts or malicious activity.

Mitigation quick action button

The panel also includes Resolution note, where the person managing the alert can leave comments or document the resolution process.

This field records actions taken, technical observations, and decisions, keeping a clear and traceable history of how the incident was resolved.

Resolution notes section