The overview tab collects information about the alerts triggered over the last 24 hours to give you a snapshot of your network's status and offers you several ways to investigate the events that triggered alerts.
There's a lot you can learn here so we'll explain how to make best use of this information by describing the three areas of this tab:
1. Quick filters
This area breaks down the types of alerts triggered in the last 24 hours and lets you apply filters to other elements in the tab.
Click on any of the bubbles to show the alert timeline for the selected category of alert. Click on one or more of the alert severities on the right to show data for the selected severities. As you apply priority filters to the information, the alert counts displayed in the bubbles are updated to reflect the count of alerts with the selected priority(s). The category and priority filters also apply to the alert timeline table in the Alert analysis area.
The alert categories are:
- Network - All alerts based on firewall, web, proxy or IDS events.
- Threats - Alerts based on firewall, web, proxy or IDS events that use data from threat intelligence feeds.
- Access - Alerts based on Active Directory events.
- Endpoints - Alerts based on your network endpoint devices/machines.
- Alert Chains - Alerts that are based on other alerts. Learn more.
- Availability - Alerts that report on system inactivity. There is one for each firewall, web server, proxy, IDS, access, and relay instance.
Example: Reviewing the highest severity alerts
You want to have a look at the most severe threat alerts that have occurred in the last 24 hours. Click the Threats bubble, then click to select the Critical and High severities. This filter is reflected both in the alert counts in the bubbles and in the alert timeline table below the quick filter.
You can select any alert in the timeline table to further investigate the events that triggered that type of alert.
2. Alert analysis
Get a quick read on the most common alerts over the last 24 hours and analyze the events related to them.
Use the frequency chart (1) to identify patterns in the frequency of each alert over the last 12 hours. Mouse-over an alert name to display the count for each spot in the chart. When Global size is on, the spot sizes are scaled against all others in the chart. Turn this setting off to scale the spots only against other spots for the same alert (row).
The persistent alerts table (2) lists, in descending order, the alerts that have been triggered most frequently over the last 24 hours.
The alert timeline table (3) is a complete list of alerts in the last 24 hours starting with the most recent and the highest priority. The alert category and priority filters also apply to the content displayed in this table. In addition, you can filter by time by clicking and dragging along the timeline to examine the events that occurred during a specific time period.
When you locate an alert that you want to investigate, first click on the arrow at the right side of the alert definition to see the text of the alert. You can also click the alert row to open another table that shows all the events over the last 24 that have triggered the selected alert.
You can search this table or click Raw to open the contents in the search window where you can work with the data as with any other query.
3. Alert investigation
This is a complete list of the alerts ordered first by priority level, then by date. For each alert, key values (like IP addresses or ports) are extracted as actionable parameters that you can click to identify all other alerts that cite the parameter value. The alerts are displayed in the alert timeline table where you can further investigate the events that triggered the alerts.
Example: Tracking a suspicious IP address
You want to investigate suspicious activity associated with a particular IP address. In the Alert list, click the IP address parameter. This immediately updates the quick filter with the count of alerts involving this address and filters the alert timeline to show only events associated with the same type of alert. Select an alert in the timeline table to display the events that triggered this type of alert.
The parameter value is highlighted in all events in which it is cited. To work with these events, you can click Raw to open the table of events in the search window.
Once a parameter for one alert is selected (source IP, as in the example) the list of alerts matching the parameter is shown, so you can procced to investigate. You can add additional filters by clicking the bubbels (you may have alerts with this condition in several bubbles) or/and click the priority pyramid.