As messages come in, they are processed against the list of policies in the policy manager. If the message violates a policy, it can be saved to the history table and may also end up being posted to a bulletin board. The bulletin boards are used to organize alarms into categories. Each policy is associated with a Bulletin board view. There are 4 primary menus in the Alarms tab:
- Views menu provides options to view some of the more popular reports available in the Alarms tab.
- Configuration menu: provides access to the utilities responsibile for most of the functionality in the Alarms tab.
- Reports Menu provides reports to determine how well the algorithms are performing over time and how frequently the policies are being triggered.
- Gear menu configures global settings for the Alarms tab.
- Show X Entries: Adjust the number of results shown in the Bulletin Board (10, 25, 50, 100, 200, 300 or 400).
- Refresh This View: Set the auto refresh interval.
- Make this view the default for my profile Every time the user visits the Alarm tab, this view will be the default.
- Refresh Button Refresh the Bulletin Board for the most up to date information.
- IP/DNS Display IP addresses or DNS (Host Names)
A heat map is a graphical representation of the corresponding Bulletin board table. Objects appearing in the heat map high and to the right are the hosts or policies that often need immediate attention. This is because those objects have the most violators and the most violations combined.
The Threat Index (TI) is a single value comprised of events with different weights that age out over time. Because any one event could be a false positive, the TI gives the administrator the option of letting the summation events possibly trigger a notification when a configurable threshold is breached.
For example, if a device on the local network reaches out to the Internet to a host with a reputation of being part of a botnet, does that mean it is somehow infected? It could, but probably not. What if the same local PC also receives a few ICMP redirects from the router supporting the subnet. Now can it be discerned that there is an infection that needs to be addressed? Again, probably not, but the suspicions are arising.