Step-by-Step Guides
Analyst | Administrator30 min
What it's for
Composite flows that cross multiple Affinity modules from start to finish.
Admin onboarding: zero to CloudTrail logs (30–45 min)
- 1. MANAGEMENT → SECRETS → Add Secret → Create New Secret (AWS credentials).
- 2. INTEGRATIONS → New Integration.
- 3. Step Connection → S3 card → Next.
- 4. Step Integration → `CloudTrail` → Next.
- 5. Step Configure → bucket, prefix, region, secret, historical date → Next.
- 6. Step Review → validate S3 prefix → create integration.
- 7. From the list, open Pipeline flow.
- 8. In Start ingestion → Process / enqueue.
- 9. After Queued successfully → Open Logs.
- 10. Verify rows in the table.
Analyst: investigate a critical alert in 30 minutes
- 1. ALERTS → click Critical card.
- 2. Choose an alert → View Details.
- 3. In Alert Management, change `Status` to Investigating → Save Changes.
- 4. Click Execute Query (opens Logs with alert query).
- 5. Review results in Table View; export with Export Filtered Results if you need evidence.
- 6. (Optional) Select rows → Analytics → Send to IR for IOC Analysis.
- 7. In IR, Query Selected in Logs to expand search.
- 8. Return to alerts → mark Resolved or False Positive → assign `Owner` and `Resolved By` → Save Changes.
Admin: automatic Slack alert
- 1. NOTIFICATIONS → Add Channel → Slack type → webhook → enable.
- 2. DETECTION RULES → Add Rule.
- 3. Step Detection Logic → write SQL → test.
- 4. Step Rule Management → assign Slack channel → enable rule.
- 5. Step Basic Info / Details → severity `High` or `Critical`.
- 6. Step Review → Create Rule.
- 7. Verify in ALERTS when the engine detects matches.