Bulletin Board by Policy¶
In the bulletin board by policy view, the alarms are grouped by policy violated. The heat map in the bulletin board by policy view displays the policies (e.g. threat algorithms) that are violated. Y axis = count, X axis = unique hosts. The bulletin board by policy table displays:
- Policy - Policies are used to match messages that will be saved to the history table. Click on a Policy name to see all of the messages that violated the Policy from all hosts.
- Board Name - Policy categories.
- Violations – The number of times a policy has been violated. With Flow Analytics alarm aggregation, one violation may consist of multiple events.
- Events - The number of events triggered by the algorithm.
- TI (Threat Index) - This is the default sort by table. The threat index is a function of a policies violation count and the policies threat multiplier. The higher the TI, the greater the chance these policy violations are a security threat. TI = violations * threat multiplier. Click here to learn more about the threat index.
- HI (Host Index) – The number of unique secondary IPs associated with a policy. Some algorithms have two IPs associated with the violation. For example, Network transports: If two hosts are seen using an unsanctioned transport, the source becomes the violator and the destination becomes the host. If there is one violator and an HI of six, a single host was communicating with six other hosts.
- Violators – The number of unique IPs that violated this policy.
- First Event - Date and Time of the first violation.
- Last Event - Date and Time of the last (most recent) violation.
- Last Notification - Notification methods include Email, Logfile, Syslog, SNMP Trap, Script and Auto Acknowledge.
Bulletin board by violator¶
In the bulletin board by violator view, the alarms are grouped by violating IP address. The heat map in the bulletin board by policy view displays the hosts that are violating policies. Y axis = count, X axis = unique policies. The bulletin board by violator table introduces a few new columns that were not outlined above:
- Country / Group – If an IP is a public address we determine the IPs country. If it is not a public address we check to see if it is in a defined IP Group.
- Users – User is determined based on violator address. The lookup requires eventlog collection be configured. See Username Reporting for details.
- Violator Address - The IP and/or DNS associated with the violator. Click on a Violator address to see all of the alarm events generated by that address.
- Other columns - described above.
The notification queue lists the last 24 hours of notifications that were sent or that currently in queue and waiting for execution. The notification queue table displays:
Violator Address - the IP and/or DNS associated with the violator
Policy - The associated Policy.
Notification - The name of the notification sent.
Alert Type - The type of notification sent (see Notication Profile for available options)
Status – Whether the notification has been sent. If it is set to finished it has been processed. If it is set to available it is waiting to be processed.
Notes – Additional details if available
Time Stamp - Date and Time of the notification.
Rate or Threshold: Once a notification is added, specify whether it should be triggered on by rate or threshold.
- Rate: X alarms within Y minutes need to be seen to trigger a notification.
- Threshold: Once there are X violations for this alarm on a BB, the notification will be sent. Acknowledging off the BB resets this.
Device Specific determines whether the notification thresholds are for all policy violators or are handled per violating address. For example: with device specific selected, IP address 184.108.40.206 and IP address 220.127.116.11 would each need to breach the threshold for a notification to be sent. Without device specific set, the combined alarms from those IPs would count against the threshold.
First or Each There is also an option to decide whether a notification should be “first” or “each”:
- First means once the threshold is breached and the notification is sent, another notification will not be sent until the alarms are acknowledged off the BB.
- Each means a notification will be triggered each time the rate or threshold is met.
The orphans view lists messages that did not violate policies. From this view, new policies can be created to organize alarms. The Orphan Table displays:
- Time Stamp - Date and Time of the notification.
- Source Address - the IP and/or DNS associated with the message source.
- Violator Address - the IP and/or DNS associated with the violator.
- Log Level - The severity and facility of the original syslog
- Create Policy - Click here to attach a policy to the orphaned message.
- Message - The orphaned message itself.
Policy violation overview¶
This view lists the threats detected by Flow Analytics. It includes the policies and the corresponding violations that occured in the specified time frame. The policy violation table displays:
- Policy Name - The associated policy name.
- Last 5 Min - Number of violations in the last 5 minutes.
- Last Hour - Number of violations in the last hour.
- All - Number of total violations for the associated policy.
- Totals - Located at the bottom of the table, it provides the totals for the three previous columns across all violated policies. Learn more about editing policies.