Hosts

The Hosts tab of the Alarm Monitor page displays all hosts that are involved in the Events within the designated time period.

The Event Cards header visualization is displayed by default in the Hosts tab. To switch to a different visualization, click the View menu, and then select one of the following:

  • Event Cards

  • Policy Cards

  • Host Cards

  • Event Timeline

  • Policy Timeline

  • Host Timeline

The Hosts tab includes a table that shows the following details for each host:

  • Distribution of individual Events targeting the host based on their Severity

  • Total number of times the host was a target in an Event

  • Total number of times the host was a violator in an Event

  • Total number of Alarm Policies violated by the host

  • Timestamps of the original and most recent Events targeting the host

The following actions are also available in the Hosts tab:

  • Hide/Show Columns - Click the Hide/Show Columns icon beside the view mode menu to select which columns to hide or display in the table.

  • Filter Hosts by Severity - Click one of the color-coded Severity sparkline cards to display only the hosts with the selected Severity.

  • Sort Hosts by Severity - Click the Severity column header in the table to sort the hosts based on their severity.

  • Sort Hosts by Risk - Click the Risk column header in the table to sort the hosts based on their risk level.

  • Add Host to a Collection - Hover over the star icon and then click the plus button to add the Host and all the Alarms and Events associated with to the active Collection. To switch to a different active collection, hover over the star icon, click Manage Collections, and then select a different Collection. For more information on Collections, see the Investigate section.

  • View more host details - Hover over the three-dot icon and then select any of the following options: Go to Host View, View Information, View Endpoint, Filter on Host, or Run Report.

Alarm Summary

Each host address in the table links to the Alarm Summary page of the host. The Alarm Summary page has the following views:

  • Alarms - Displays all Alarm Policies associated with the Events targeting the host as well as other relevant details. This is the default view mode when accessing the Alarm Summary page of the host.

  • Traffic - Displays the Activity Timeline, the Source IP Groups, top applications, and the Destination IP Groups.

To view information related to the host, click the tray button in the Information section in the Alarms view. The tray button opens a quick-access tray that displays the DNS Name, IP Address, and other relevant information. Clicking the Learn More button navigates to the Traffic view in the Hosts tab.

Note

If Plixer Endpoint Analytics (integration) is enabled for the host, an Endpoint section is displayed below the Information section in the Alarms view. Clicking the tray button in the Endpoint section opens a quick-access tray that displays the Mapped IP Address, MAC Address, Current Location, System Location, and other information related to the host. Clicking the Investigate Endpoint button opens a new tab to the Endpoint Analytics web interface.

In the Alarm Summary page, the Integrations menu is available beside the filters icon. The Integrations menu displays the following options:

  • GEO IP - Opens a new window and displays the geographic location information of the associated alarm

  • Alarms - Navigates back to the Policies tab

  • Talos Reputation Center - Opens a new window displaying the Reputation Lookup results of the associated alarm