An Event is any change in your system. The logs for instance, represent an event that occurred.
An Alerts is a warning about the occurrence of some events that match specific conditions. The IT Team analyze events (and alerts) to decide if they represent a malicious activity.
When you select Threat Management > Events, UTMStack displays the following page:
1. You can search and filter for events using time ranges and other event attribute criteria. By default, the next filters are displayed:
Rule: Rule used to detect the event
Severity: Returns events classified according to the severity level: Log, Low, Medium, and High. The severity levels are based on the following rules:
- Log— Severities with values equal to 0.
- Low Severity — Severities with values between 0,1 and 3,9.
- Medium Severity — Severities with values between 4 and 6,9.
- High Severity — Severities with values between 7 and 10.
Category: It is based on the event type, such as information leak, web application attack, etc. It indicates the urgency with which an event should be investigated.
Sensor: This filter allows you to select a deployed Sensor from the list.
Tag: You can perform a query using one othe tags provided in
this section as your search criteria.
2. UTMStack displays all events, or filtered events (if you defined a search criteria). From the tabular summary listing of events, you can click on any event row to view further details in a popup window. You can also apply incidents, add notes, or tags.
The table displays the next columns: Rule, Severity, Time, Sensor, Source IP, and Destination IP.
Click on any row to display a windows with a full description: summary, proposed solution, edit solution, detail(rule, ID, Status,etc), view log, and view changes history.
3. Save reports: You can save a report in CSV format.
5. View rules
You can manage your alert rules from the Alert rule management page. The search bars allows you to filter by: rule, severity, sensor, origin, and destination.
5. Alert documentation management. It is important to identify and document the alerts.
The screen shows three tabs: solution, categories, and description. Every tab has a search bar and the option of adding a new solution, category, or description respectively.