Manage events

An Event is any change in your system. The logs for instance, represent an event that occurred.

An Alerts is a warning about the occurrence of some events that match specific conditions. The IT Team analyze events (and alerts) to decide if they represent a malicious activity.

When you select Threat Management > Events, UTMStack displays the following page:

manage-event.png

1. You can search and filter for events using time ranges and other event attribute criteria. By default, the next filters are displayed:

Rule: Rule used to detect the event

Severity:  Returns events classified according to the severity level: Log, Low, Medium, and High. The severity levels are based on the following rules:

  • Log— Severities with values equal to 0.
  • Low Severity — Severities with values between 0,1 and 3,9.
  • Medium Severity — Severities with values between 4 and 6,9.
  • High Severity — Severities with values between 7 and 10.

Category:  It is based on the event type, such as information leak, web application attack, etc. It indicates the urgency with which an event should be investigated.

Sensor: This filter allows you to select a deployed Sensor from the list.

Tag:  You can perform a query using one othe tags provided in
this section as your search criteria.

2.  UTMStack displays all events, or filtered events (if you defined a search criteria). From the tabular summary listing of events, you can click on any event row to view further details in a popup window. You can also apply incidents, add notes, or tags.
The table displays the next columns: Rule, Severity, Time, Sensor, Source IP, and Destination IP.

Click on any row to display a windows with a full description: summary, proposed solution, edit solution, detail(rule, ID, Status,etc), view log, and view changes history.

3. Save reports: You can save a report in CSV format.

save-report.png

4. Manage tags: this function allows creating a new tag, as well as choose and edit the default tags.

5. View rules

XNTalert-rule-management.png

You can manage your alert rules from the Alert rule management page. The search bars allows you to filter by: rule, severity, sensor, origin, and destination.

5. Alert documentation management.  It is important to identify and document the alerts.

alert-documntation.png

The screen shows three tabs: solution, categories, and description. Every tab has a search bar and the option of adding a new solution, category, or description respectively.