Threat management

UTMStack monitors, collects, and correlates data to generate alerts based on the predefined rules. It alerts you of potential security issues and vulnerabilities.

Alert Management

Introduction

This document explains the Threat Management module. The Threat Management module groups all alerts that are generated by the correlation engine. For more information about Correlation engines, refer to <link>.

Alerts

Alerts section under the Threat Management module groups all the alerts detected by the multiple systems and correlation rules that are used by the application.

To open the Alerts window, follow the steps below:

  1. On the UTMSTACK home page, click Threat Management.

A drop-down list opens.

  1. Select Alerts.

The Alerts window opens, as shown below.

1.png

Figure 1: Manage Alert Window

Understanding Alerts Module

Alerts is an interactive module where you can manage alerts by using various filters, rules, tags, and many more features. To better understand the Alerts module, refer to Figure 1. The figure is highlighted with different colors and numbers.

Filters Pane

The Filters pane is present on the left-hand side of the Alerts window. In Figure 1, it has been highlighted in red and numbered as 1.

Filters pane has various ways to filter the alerts that are shown on the Alerts window. It helps in searching specific alerts that you need to see or investigate further. Figure 2 shows the Filters pane.

Untitled.png

Figure 2: Filters Pane

Adding or Removing Filters in the Filters Section

In the Filters pane, you can filter the alerts by Rule, Severity, Category, Sensor, or Tags. These are default filters that are shown in the Filters pane. You can add more filters to display in the Filters pane.

To add or remove filters in the Filters pane, follow the steps below:

  1. Click the config.pngicon located on the top right-hand side of the Filters

Manage filters floating window opens, as shown in Figure 3.

3.png

Figure 3: Manage filters Window

  1. Select the desired filter in the list of Inactive filters.

The filter name is highlighted.

  1. Click the icon to add the selected filter in the Visible filters

The filter adds to the list of Visible filters list and displays in the Filters pane.

  1. (Optional) In the Visible filters section, you can change the order of filters by dragging and dropping them.

These filters are visible in the same order in the Filters pane.

Using Various Filters in the Filters Section

You can filter alerts by Rule, Severity, Category, Sensor, or Tags. Also, you can add more filters to use, as explained in the above section.

For any filter, you can either scroll and look for the desired alert OR type in a query in the Search in values field to search for a specific alert, as shown in Figure 4.

4.png

Figure 4: Filters and Search fields

Time Filters

Time filters help to display alerts for a specific time range. Alerts module has many time filters to select from, including a custom time range filter. For example, if you want to see alerts that have been generated in the last 30 days, 7 days, 24 hours, or 1 hour.

To use the time filters, follow the steps below:

  1. Click date.png icon located at the top of the alerts table.

A drop-down list opens.