# How to read MDR results? Security alerts detected on your endpoints and identities are listed in `MDR` > `Results`. Each alert in the table displays: * Name: the alert rule that was triggered * Criticality: Low, Medium, High, or Critical * Host / User: the affected endpoint or identity * Detection date: when the threat was first detected * Status: Open or Closed ### Alert details Click on any alert to open a side panel with full details. The panel includes: * Information: detection date, affected host or user, and a description of the alert when available. * Status: whether the alert is Open or Closed, and its resolution (True Positive or False Positive) once closed. * History: a timeline tracking the alert through its lifecycle (see below). * Linked alerts: other alerts grouped in the same collection, if any. ### Alert history The History section shows the key milestones of how the alert was handled: | Step | Meaning | | ------------------ | --------------------------------------------------------------------------------- | | Alert creation | The moment the threat was first detected by the EDR (CrowdStrike or SentinelOne). | | Alert confirmation | When the alert was ingested and confirmed in the Stoik system. | | Alert processing | When a SOC analyst started investigating the alert. | | Alert closure | When the alert was resolved and closed. | "Alert creation" and "Alert confirmation" are always shown. "Alert processing" and "Alert closure" appear as the alert progresses through its lifecycle. Each step displays the exact date and time, with the most recent event at the top. ### Analyst notes Some alerts include notes written by Stoïk SOC analysts. These notes provide additional context on how the alert was investigated and resolved. Each note displays: * Author: shown as "Stoïk SOC Analyst" (individual analyst names are not disclosed) * Timestamp: when the note was written * Content: the analyst's observations, findings, or recommendations Not all alerts will have analyst notes. They are added by the SOC team when additional context is relevant to help you understand the alert resolution. ### Email Exchange Some alerts include email exchanges related to the alert handling. When available, these communications are displayed in the alert side panel, giving you the full context of how the alert was communicated and resolved. The Email exchanges section only appears when there are related emails. If none exist, the section will not be displayed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stoik.io/stoik-mdr/how-to-read-mdr-results.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.