Using the Security Threats Dashboard

This article discusses how to use the Threats Dashboard to get a quick overview of threats related to IPS, DNS Protection, and Anti-Malware in your network. You can then drill-down and analyze the threat types and easily open the relevant events.

Overview of Security Threats Dashboard

The Threats Dashboard lets you view the malicious and suspicious threat activity in your network identified by the Anti-Malware and IPS engines, including DNS Protection. The page contains a number of widgets that provide visibility for threat activity. The page also lets you add items to the threats filter to drill-down and focus on the relevant threat data and events in your account.

When you manually create a filter or add an item to the update filter, the threat data on the Threats Dashboard page is automatically updated. The View Events feature opens the Events page and lets you easily view the relevant events based on the filter in Threats Dashboard.

Getting Started with Threats Dashboard

The Threats Dashboard page shows the total threat activity over the time range. There are several rows of widgets:

  • General security engine threat summary

  • IPS threat summary

  • DNS Protection summary

  • Anti-Malware summary

To show the Threats Dashboard:

ThreatsDashboard_Callouts.png

Item

Name

Description

1

Events filter bar

Shows the filters that are applied to the events. Click Add2.png (Add) to manually configure the settings for a filter.

2

Time range

Select the time range for the threat data that is shown in the page.

3

Threat widgets

A summary of threats according to threat name, timeline and their physical location

4

IPS widgets

IPS threats according to the threat type, top hosts, and top users

5

DNS Protection widgets

DNS Protection threats according to threat type, top domains, and top hosts

6

Anti-Malware widgets

Anti-Malware threats according to the file name, top hosts, and top users

Working with Threats Dashboard Widgets

The Threats Dashboard widgets give you a high-level overview of suspicious and malicious threats in your network.

Understanding the Threat Widgets

The threat widgets provide information about the threats detected by the IPS and Anti-Malware engines. These are the threat widgets:

  • Top Threats - Shows top threats according to the threat name and the number of events for each one.

  • Threats Timeline - Shows the number of filtered threats. Each threat type is represented by a different color.

    • Hover over the timeline to show the exact threat data for that time bucket.

    • Click a threat type to exclude it from the Threats Dashboard, the page is automatically updated.

    • Use the mouse to select a smaller time range for the threat data, the page is automatically updated.

  • Top Countries - Map of the top physical locations for inbound and outbound traffic:

    • Outbound - traffic from an internal host to the Internet which violates your security policy (IPS engine)

    • Inbound - traffic using remote port forwarding (RPF) to access an internal host which contained a threat (IPS engine)

    • Anti-Malware - traffic that included malware files, includes both outbound and inbound

Understanding the IPS Widgets

The IPS widgets provide information and threat data about traffic that was blocked by the IPS engine. The threat data is based on the IPS events that were generated by your account. These are the IPS widgets:

  • Threats Type - Shows the name of the IPS threat type and the number of events for each type

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of IPS events for each host

  • Top Users - Shows the list of top users and their email address with the number of IPS events

Understanding the DNS Protection Widgets

The DNS Protection widgets provide information and threat data about traffic detected by the IPS engine in enforcing the DNS Protection policy. The threat data is based on the DNS Protection events that were generated by your account. These are the DNS Protection widgets:

  • Threats Type - Shows the name of the type of DNS category and the number of events for each type

  • Top Domains - Shows a list of the top domains that were blocked with the number of DNS protection events for each domain

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of DNS protection events for each host

Understanding the Anti-Malware Widgets

The Anti-Malware widgets provide information and threat data about malicious files that were blocked by the Anti-Malware and SentinelOne Next Gen Anti-Malware engines. The threat data is based on the Anti-Malware events that were generated by your account. These are the Anti-Malware widgets:

  • Top Files - Shows the file name of the malicious file and the number of events for each file

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of Anti-Malware events for each host

  • Top Users - Shows the list of top users and their email address with the number of Anti-Malware events

Was this article helpful?

2 out of 3 found this helpful

0 comments

Add your comment