Viewing the Network Events


Event List

 

The "Security Event List Report" displays the number of security events present in the network. The parameters included in the event list are listed in the following table:

 

Parameter Description
Algorithm Type Image representation of the type of Algorithm used namely, Source Aggregation, Destination Aggregation, and Router Aggregation.
ID Its an unique ID which is assigned for an event for your ease of identifying
Problem The class and the particular problem to which the event belongs
Offender Location The geographical/topological location of the Offender
Offenders The unique source IP/network addresses of the event.
Routed Via The router and interface through which the event routed
Target Location The geographical/topological location of the Target
Targets The unique destination IP/network addresses of the event
Time The date and time of the first flow and the last flow of the event
Hits The number of flows aggregated in a specific event
Severity Denotes the severity of the event generated. There are 4 types of severity - Info, warning, major, critical. They are assigned based on an algorithm.
Status Denotes the status of the event like open, close. you can choose to close or open an even and also delete it once the issue is resolved.
View Click on "view" to get Event Details report.

 

Note: You can also view the IP address as resolved DNS value using the "Show DNS" option.

 

event list

2.1 Customization

 

2.1a. White List: The White List option allows you to ignore specific events and discard specific flows deemed trusted or allowed network activities for certain resources and problems.

 

Ignore Events: Allows you to ignore specific events of problems for any resource. Select a specific event you want to ignore, click "white list" and select "Ignore Events". In the dialog box that appears, you can view the problem name and the resource to be ignored. Click "OK" to confirm the selection.

 

Note: The problem displayed here is the base problem and criteria selected can be managed for all the problems derived from the base problem.

 

View Ignored: Allows you to view the resources ignored for a specific problem. Select a specific event you have already ignored, click "white list" and select "View Ignored". In the new window that appears, you can view the problem name and the resource ignored. You can also remove the resources that were ignored using this option.

 

Note: Move your mouse over the resource to view the delete button.

 

Discard Flows: Allows you to discard flows for a specific problem. Select a any event of a specific problem, which you want to discard the flows for, click "white list" and select "Discard Flows". In the new window that appears, select the appropriate criteria for which you want to discard the flows. Use the "preview" option to view the selected criteria. Click "save" to confirm the selection.

 

Note: The displayed problem here is the base problem and criteria selected is applicable for all the problems derived from the base problem. In order to apply the selected criteria for all the problems detected by ASAM, select "All Problems".

 

View Discarded: Allows you to view the flow fields and the values for discarded flows. Select a event of a specific problem for which you have discarded the flows. click "white list" and select "View Discarded". In the new window that appears, you can view the problem name and all the selected criteria. You can also remove the selected criteria using this option.

 

Note: Move your mouse over the field value to view the delete button.

 

 

2.1b. Manage: The Manage option allows you to manage Problems, Algorithms, and Resources.

2.1c.Algorithm Settings: Allows you to set the threshold value and the field type to be displayed in the offender and target column in the event list report.

 

2.1d. Location: The Location option allows you to manage the geographical and topological locations for offenders and target. Using this you can load/update geographical location, configure topological location, view/edit topological location list, and configure location mode settings.


  1. Click on the "Location" drop-down box
  2. Select the appropriate option like Load GeoLocation, Add Topolocation, View Topolocation, Location Mode
  3. Specify the requested details
  4. Click "OK"

Load Geolocation: Allows you to load/update the geographical location of the IP addresses.


Add Topolocation: Allows you to configure the topological location for IP addresses


View Topolocation: Displays the Configured Topological Location and their associated IP addresses. Also allows you to add/remove IP addresses for the selected topolocation.

Location Mode:Displays the List of location modes for offenders and Targets column. You can choose the type of location to be displayed in the offender location and target location column in the event list report.


 

2.1c. More Actions: Allows you to change the status of a specific or set of selected Events. You can open, close or delete the selected event.

Event Details Report:

Event Details Report displays all the attributes of a specific event generated. Click on "view" in the event list report to get to this page. Event Details Report displays the event id and the problem that you have selected. The report displays: volume, packets, hits, unique source IP, unique destination IP, unique source networks, unique destination networks, unique source ports, unique destination ports, unique applications, unique TCP flags, unique protocols, unique ToS values, unique In interfaces, unique out interfaces,unique connections, unique router IP.

 

event list report

 

Security Event Troubleshoot Report:

Displays the list of aggregated flows for an event. Click on the unique router IP in the event details report to view this reportr. This report lists on the distribution of packets and traffic from the source to the destination giving more details about the event occurred. You can also view the Application type, ports involved, protocol used, ToS, and TCP Flags used, number of packets and the traffic volume.

 

security event troubleshoot report

 

 

 

Copyright © 2012, ZOHO Corp. All Rights Reserved.
ManageEngine