Alarm Monitor#
The Scrutinizer Alarm Monitor subsection/page is Scrutinizer’s main interface for monitoring and investigating active alarm policy violations. The page is divided into three subtabs, which allow for different starting points when investigating events.
For additional background and recommended configuration steps related to Alarm Monitor functions, see the configuration guide for alarms and events.
Policies#
The Monitor > Policies tab/view is the default Alarm Monitor view and can be used to investigate alarms within the specified time period based on the alarm policy violated.
The overview table can be set to include any of the following columns via the Available Columns button:
Severity: Distribution of individual events under the policy based on severity
Risk: Aggregated risk level
Events: Total number of violating events under the policy
Violators: Total number of hosts observed as violators under the policy
Targets: Total number of hosts observed as targets under the policy
First Observed: Timestamp of the first violating event within the specified time period
Last Observed: Timestamp of the most recent violating event within the specified time period
Category: Policy category
Technology: Plixer One component where the alarm originated
The host counts in the Violators and Targets columns also function as shortcuts to pivot to the Hosts view with a filter for the policy applied.
Note
Risk information requires Endpoint Analytics.
For a full list of alarm policy categories and violation descriptions, see this table.
Editing policy settings
To edit the settings of the policy for an active alarm, select Edit Policy from the three-dot menu in the list/table.
This will open the settings tray in the alarm policy management view, where the policy’s weight, timeout, and state can be modified. Notification profiles can also be created and assigned to the policy from this tray.
Inspecting hosts
Clicking the ➝] icon in the Violators or Targets column of the table opens a tray listing violating and targeted hosts involved in the alarm. This tray can be used to select one or more hosts to apply as filters or view alarm details for any of the hosts involved.
Alternatively, clicking on the host count in the Violators or Targets column opens the Alarm Monitor Hosts tab with a filter for the policy applied.
The tray also includes toggles to hide/show system policy violations and acknowledged events in the active alarm list.
Managing exclusions
To add or remove exclusions for an active alarm policy, select Manage Exclusions from the three-dot menu in the list/table.
For Scrutinizer alarm policies (indicated in the Technology column), this will open the FA algorithm management view, from where exclusions can be added to or removed from the algorithm driving the policy. For Plixer Machine Learning policies, the option will open the FA algorithm management view instead.
Individual hosts can also be added to FA algorithm or ML detection exclusion lists by opening the violators/targets tray and clicking the ⵁ icon for one or more hosts.
Alarm summary
Clicking on a policy in the main list opens the summary/details view for the alarm, which includes a chart/timeline summarizing observation details and a list of artifacts for separate events/violations under the same policy.
The following visualizations can be selected from the View dropdown:
Events Scatter Plot - Shows distribution of the events and observations
Events Timeline (default) - Shows the individual events and their durations in a timeline for the specified time period
Entities - Shows observation distribution among top violators, IP groups, and targets
Note
Scrutinizer aggregates continuous or consecutive observations within the policy’s Timeout setting as a single event. See this page on the alarm/event life cycle for further details.
Event list
The event list of the alarm summary view can be used to drill into the artifacts for discrete events/violations within the specified time period. The summary table lists total number of observations aggregated as well as the basic details (severity, hosts, etc.) for each event.
Hint
Mouse over the graph icon in the event list for additional shortcuts/options (varies by policy).
Click on an artifact to open a tray containing the full details for the event:
Severity
Start/end timestamps
Most recent event message generated
All hosts observed as targets
All hosts observed as violators
All events with matching violating criteria
In the tray, clicking on the link icon for target or violator opens the host details view, where the details for all alarms associated with the host can be investigated. Details for other events with the same violating criteria (based on the alarm policy) can also be viewed in a secondary tray by clicking the view (eye) icon.
Auto-Investigate policy
The Auto-Investigate alarm policy reports sequential incident/event chains wherein each targeted host becomes the next violator in the sequence. Each chain includes all discrete events starting from the initial incident and ends when the target cannot be confirmed as the next violator.
When an Auto-Investigate alarm is active, its summary view will list all incident chains (aggregated by the initial violating host) instead of individual events.
Investigation details
Clicking the microscope icon in the list/table opens the investigation subview for the selected initial violator, which can be used to inspect the following information for all incident chains linking back to it:
All incident chains with the same initial violator, including violators, targets, and exact timelines
Visualized links between violators, policies, and targets
Event distribution over time
Event, target, and violator counts for all policies violated
Number of policy violations, linked event violator counts (including itself), and roles for all hosts
The policy and host lists also link back to their respective Alarm Monitor views for further investigation and cross-referencing.
Hosts#
The Monitor > Policies tab can be used to investigate alarms within the specified time period based on a target or violating host.
The overview table can be set to include any of the following columns via the Available Columns button:
Severity: Distribution of individual events under the policy based on severity
Behavior: Host behavior information (Click the icon to view behavior summary or drill into the host behavior subview.)
Risk: Endpoint risk level (Click the icon to view endpoint details.)
Country/Group: IP group or country associated with the host
As Target: Total number of events with the host as a target
As Violator: Total number of events with the host as a violator
Policies: Total number of policy violations involving the host as a target or violator
First Observed: Timestamp of the first violating event involving the host within the specified time period
Last Observed: Timestamp of the most recent violating event involving the host within the specified time period
The three-dot icon/menu can be used to access the host information summary tray or pivot to any report supported by the host.
Note
Behavior information requires a Plixer One Enterprise license.
Risk information requires Endpoint Analytics integration to be enabled.
The Country/Group column will display IP groups for internal hosts and countries for external addresses. Addresses can be designated as internal or external as part of IP group definitions.
Host details#
Clicking on a hostname/address in the main list opens the host details page, which includes an overview pane and three (four if the host is an exporter) subviews with detailed insights related to the host’s activity.
Note
If Endpoint Analytics integration is enabled, the overview pane will include a section with additional endpoint information and a link to the corresponding Endpoint Analytics view.
Traffic
The host traffic subview can be used to inspect a host’s activity based on its communications with other hosts and/or IP groups.
This subview visualizes activity data for the host using the following charts:
An activity timeline showing the inbound (green) and outbound (blue) rates over the specified time period in an activity timeline
A traffic distribution chart of source IP groups where this host is the destination
A traffic distribution chart representing the host’s activity by defined application used
A traffic distribution chart of destination IP groups where this host is the source
Each chart also includes a shortcut button to run a filtered report to break down the host’s activity in greater detail.
Behavior
The host behavior subview can be used to investigate a host that has been observed by the Plixer ML Engine to be exhibiting anomalous behavior.
Host behavior insights for the selected ML dimension are summarized in the following:
A timeline showing the deviation criteria (e.g., bytes, IP address count, etc.), magnitude (based on the host’s typical activity patterns), and threshold for the selected dimension
A table/list of timestamps and details for individual behavior deviations
To see behavior information for a different feature dimension, use the dropdown and select another dimension with an anomalous behavior count.
Further investigation is recommended for hosts with deviation magnitudes exceeding the indicated threshold.
Note
Behavior data will only be available for hosts that are covered by the ML Engine’s inclusion rules and have exhibited anomalous behavior.
Behavior modeling and other ML Engine functions require a Plixer One Enterprise license. Contact Plixer Technical Support to learn more.
Alarms
The host alarms subview can be used to investigate alarms in which the host was involved as a target and/or violator.
This subview includes two overviews of all unacknowledged alarms associated with the host:
A timeline showing individual events by alarm policy violated
A summary table (similar to the main Alarm Monitor policies view) with details for all policies with violations involving the host
Drilling in from the summary table opens the alarm details view for the policy, where event artifacts can be inspected individually.
Interfaces
The host interfaces subview consists of a table listing all interfaces on a flow-exporting device along with their inbound and outbound activity details.
Note
Inbound and outbound activity details use rates by default. If custom interface speed has been assigned to an interface, utilization will be used instead.
To show highwater activity (inbound or outbound) details for an interface, hover over the corresponding information (i) icon in the table. Shortcuts to run reports or drill into interface traffic/behavior can be accessed from the three-dot menu.
Additional options
To support workflow efficiency, the host details page header includes buttons to access the following functions:
Changing the time period/range covered
Pivoting to any supported report type filtered on the current host
Viewing additional details and information from integrated sources (Learn more button)
Applying filters (alarms and interfaces subviews only)
ATT&CK[1]#
The Monitor > ATT&CK tab can be used to investigate events based on the tactic, technique, and sub-technique assigned by the MITRE ATT&CK framework.
Events are plotted in a timeline, where the user is able to drill into them individually to open a tray containing the following:
MITRE ATT&CK tactic and technique information, with links to the relevant MITRE ATT&CK knowledge base articles
Shortcuts to the Policies or Hosts Alarm Monitor tab with filters for the event’s details applied
Basic event information
The page also includes the MITRE ATT&CK Enterprise Matrix, with technique classifications highlighted to match the corresponding events in the timeline.
Hint
Click on a technique cell in the matrix to view the policies violated in the Policies tab.
Applying filters#
To further facilitate monitoring and investigation, the Scrutinizer Alarm Monitor views support multiple approaches to applying filters to the Alarm Monitor views.
Time range filter
The Alarm Monitor views can be set to show alarm/event information for either a custom date and time range or a specified Last X period (last 15 minutes, last 24 hours, last week, etc.).
To view data for a different period, click the Time Range (calendar) button and configure the range to apply.
Hint
When a custom range is specified, click the up/down arrows to automatically adjust the dates to cover the same period of time.
Card/chart filters
By default, the Policies and Hosts tabs use sparkline cards to summarize severity distribution across policies or hosts. These cards can be clicked to apply a filter for policy violations or hosts matching the selected severity.
Other visualization types (timelines and connection diagrams) showing different event details (events, alarm policy category, etc.), can be selected from the View dropdown and used to quickly apply the corresponding filter.
Advanced filters
Clicking the Filters button opens a tray where one or more filters can be manually configured.
The following filtering options are available:
Policy
Severity
Risk
Hosts
Violators
Targets
Category (of alarm policy)
To apply a filter, expand the filter option/section, and select the criteria to use. Multiple options and criteria can be applied at the same time.
Note
The Risk filter is only available when the Endpoint Analytics integration is enabled. To learn more about Endpoint Analytics integration in Scrutinizer, see this section of this documentation.
The filter options tray also includes an option to show policies and hosts associated with events that have already been acknowledged.
When exporting alarm/event data (via the Options button/tray), use the Export CSV (All) option to ignore any filters currently applied.
Acknowledging events#
Once an event has been investigated and/or resolved, it should be acknowledged to clear it from all Alarm Monitor views. This reduces the volume of active alarms and/or events at any given time and can further streamline investigative processes.
Acknowledging events is part of Scrutinizer’s recommended investigation and resolution workflow.
Hint
To show/hide acknowledged events in the Alarm Monitor views, open the filter options tray and toggle the Show Acknowledged Events option on/off.
Acknowledging can be done by alarm policy or by event.
Acknowledging by policy
From the main view of the Policies tab, acknowledging an alarm policy automatically flags all events generated under the policy as acknowledged.
To acknowledge by alarm policy:
While on the Policies tab of the Alarm Monitor view, select the policy by ticking its checkbox.
If acknowledging more than one policy, verify that the correct policies have been selected.
Click Acknowledge Selected Events.
Note
The Acknowledge Selected Events button is only available when at least one policy checkbox is ticked.
Once acknowledged, the alarm policy and all events associated with it will be hidden from all Alarm Monitor views.
Acknowledging by event
Acknowledging can also be used to clear only events that match the same criteria. This allows other events under the same policy (as well as the alarm policy itself) to be retained in Alarm Monitor views.
Events are acknowledged from the summary view of the Policies tab as follows:
Scroll down to the Event List section of the page.
Select the artifact linked to the criteria/events to be acknowledged by ticking its checkbox.
If selecting more than one artifact, verify that the correct checkboxes have been ticked.
Click Acknowledge Selected Events.
Note
The Acknowledge Selected Events button is only available when at least one policy checkbox is ticked.
Once acknowledged, the event(s) will be hidden from all Alarm Monitor views.