The "Security Event List Report" displays the number of security events present in the network. The parameters included in the event list are listed in the following table:
|Algorithm Type||Image representation of the type of Algorithm used namely, Source Aggregation, Destination Aggregation, and Router Aggregation.|
|ID||Its an unique ID which is assigned for an event for your ease of identifying|
|Problem||The class and the particular problem to which the event belongs|
|Offender Location||The geographical/topological location of the Offender|
|Offenders||The unique source IP/network addresses of the event.|
|Routed Via||The router and interface through which the event routed|
|Target Location||The geographical/topological location of the Target|
|Targets||The unique destination IP/network addresses of the event|
|Time||The date and time of the first flow and the last flow of the event|
|Hits||The number of flows aggregated in a specific event|
|Severity||Denotes the severity of the event generated. There are 4 types of severity - Info, warning, major, critical. They are assigned based on an algorithm.|
|Status||Denotes the status of the event like open, close. you can choose to close or open an even and also delete it once the issue is resolved.|
|View||Click on "view" to get Event Details report.|
Note: You can also view the IP address as resolved DNS value using the "Show DNS" option.
2.1a. White List: The White List option allows you to ignore specific events and discard specific flows deemed trusted or allowed network activities for certain resources and problems.
Ignore Events: Allows you to ignore specific events of problems for any resource. Select a specific event you want to ignore, click "white list" and select "Ignore Events". In the dialog box that appears, you can view the problem name and the resource to be ignored. Click "OK" to confirm the selection.
Note: The problem displayed here is the base problem and criteria selected can be managed for all the problems derived from the base problem.
View Ignored: Allows you to view the resources ignored for a specific problem. Select a specific event you have already ignored, click "white list" and select "View Ignored". In the new window that appears, you can view the problem name and the resource ignored. You can also remove the resources that were ignored using this option.
Note: Move your mouse over the resource to view the delete button.
Discard Flows: Allows you to discard flows for a specific problem. Select a any event of a specific problem, which you want to discard the flows for, click "white list" and select "Discard Flows". In the new window that appears, select the appropriate criteria for which you want to discard the flows. Use the "preview" option to view the selected criteria. Click "save" to confirm the selection.
Note: The displayed problem here is the base problem and criteria selected is applicable for all the problems derived from the base problem. In order to apply the selected criteria for all the problems detected by ASAM, select "All Problems".
View Discarded: Allows you to view the flow fields and the values for discarded flows. Select a event of a specific problem for which you have discarded the flows. click "white list" and select "View Discarded". In the new window that appears, you can view the problem name and all the selected criteria. You can also remove the selected criteria using this option.
Note: Move your mouse over the field value to view the delete button.
2.1b. Manage: The Manage option allows you to manage Problems, Algorithms, and Resources.
Manage Problem: Allows you to enable or disable a specific or set of problems. Click "Manage Problem" and choose to enable or disable a problem. If a specific problem is disabled, events related to the problem will be not generated
Manage Algorithm: Allows you to enable or disable a specific or set of Algorithms. Click "Manage Algorithm" and choose to enable or disable an algorithm. If a specific algorithm is disabled, ASAM will not use the algorithm to generate events. For a base problem like TCP Syn Violations, you can manage three different alogorithms like: TCP Syn Violations from Source (SourceAggregation), TCP Syn Violations to Destination (DestinationAggregation),TCP Syn Violations via router (RouterAggregation).
Manage Resource: Allows you to enable or disable resources for a specific resource type. Click "Manage Resources", in the new window that appears, select the resource type, choose to either enable or disable the resources for the selected resource type. To add a new resource specify the resource name in the "Enter" text box and click "Add".
Note: Resource is the attribute that is used to group the flows for an Event
For example: Flows routed through a single router ip are aggregated as an Event (RouterAggregation)
Flows from a single source ip are aggregated as an Event (SourceAggregation)
Flows to a single destination ip are aggregated as an Event (DestinationAggregation)
2.1c.Algorithm Settings: Allows you to set the threshold value and the field type to be displayed in the offender and target column in the event list report.
Offender/Target settings: You can select specific Offender/Target field to be displayed in the Event List report using this option. Click "Offender/Target settings" and choose the source and destination IP/network field to be displayed in the event list.
2.1d. Location: The Location option allows you to manage the geographical and topological locations for offenders and target. Using this you can load/update geographical location, configure topological location, view/edit topological location list, and configure location mode settings.
Load Geolocation: Allows you to load/update the geographical location of the IP addresses.
Add Topolocation: Allows you to configure the topological location for IP addresses
View Topolocation: Displays the Configured Topological Location and their associated IP addresses. Also allows you to add/remove IP addresses for the selected topolocation.
Location Mode:Displays the List of location modes for offenders and Targets column. You can choose the type of location to be displayed in the offender location and target location column in the event list report.
2.1c. More Actions: Allows you to change the status of a specific or set of selected Events. You can open, close or delete the selected event.
Event Details Report displays all the attributes of a specific event generated. Click on "view" in the event list report to get to this page. Event Details Report displays the event id and the problem that you have selected. The report displays: volume, packets, hits, unique source IP, unique destination IP, unique source networks, unique destination networks, unique source ports, unique destination ports, unique applications, unique TCP flags, unique protocols, unique ToS values, unique In interfaces, unique out interfaces,unique connections, unique router IP.
Displays the list of aggregated flows for an event. Click on the unique router IP in the event details report to view this reportr. This report lists on the distribution of packets and traffic from the source to the destination giving more details about the event occurred. You can also view the Application type, ports involved, protocol used, ToS, and TCP Flags used, number of packets and the traffic volume.