This article discusses how to use the Threats Dashboard to get a quick overview of threats related to IPS, DNS Protection, and Anti-Malware in your network. You can then drill-down and analyze the threat types and easily open the relevant events.
The Threats Dashboard lets you view the malicious and suspicious threat activity in your network identified by the Anti-Malware and IPS engines, including DNS Protection. The screen contains a number of widgets that provide visibility for threat activity. The screen also lets you add items to the threats filter to drill-down and focus on the relevant threat data and events in your account.
When you manually create a filter or add an item to the update filter, the threat data on the Threats Dashboard screen is automatically updated. The View Events feature opens the Events screen and lets you easily view the relevant events based on the filter in Threats Dashboard.
The Threats Dashboard screen shows the total threat activity over the time range. There are several rows of widgets in the screen:
-
General security engine threat summary
-
IPS threat summary
-
DNS Protection summary
-
Anti-Malware summary
There are two ways to filter the data in the Threats Dashboard and show the items that are most relevant: automatically update the filter with the selected item, or manually configure the filter.
As you hover over an item or field where a filter option is available, the button appears. Click the icon to show the filter options:
-
Add to Filter - Adds the item to the filter, and the Threats Dashboard now only shows data that includes this item. For example, if you filter for the specific user, the screen only shows threat data that is related to that user. No other threat data is available until you change or clear the filter.
-
Exclude from Filter - Updates the filter to exclude this item, and the Threats Dashboard now only shows data that does NOT include this item.
-
View Events - Adds this item to the filter, and the Events page opens and shows all the events that match the filter.
You can continue to add items to the filter, click again to update the filter and drill-down further.
The default time range for the threat data is the previous two days. You can select a different time range for the Threat Dashboard to show a longer or shorter time period. For more information, see Setting the Time Range Filter.
The maximum date range for the Threats Dashboard is 90 days.
You can manually configure the filter for greater granularity to analyze the threat activity. After you configure the filter, it is added to the filter bar and the screen is automatically updated to show the threat data that matches the new filter.
To manually configure a filter:
-
In the filter bar, click .
-
Start typing or select the Field.
-
Select the Operator, which determines the relationship between the Field and the Value you are searching for.
-
Select the Value.
-
Click Add Filter. The filter is added to the filter bar and the Threats Dashboard is updated to show results based on the filters.
The Threats Dashboard widgets give you a high-level overview of suspicious and malicious threats in your network.
The threat widgets provide information about the threats detected by the IPS and Anti-Malware engines. These are the threat widgets:
-
Top Threats - Shows top threats according to the threat name and the number of events for each one.
-
Threats Timeline - Shows the number of filtered threats. Each threat type is represented by a different color.
-
Hover over the timeline to show the exact threat data for that time bucket.
-
Click a threat type to exclude it from the Threats Dashboard, the screen is automatically updated.
-
Use the mouse to select a smaller time range for the threat data, the screen is automatically updated.
-
-
Top Countries - Map of the top physical locations for inbound and outbound traffic:
-
Outbound - traffic from an internal host to the Internet which violates your security policy (IPS engine)
-
Inbound - traffic using remote port forwarding (RPF) to access an internal host which contained a threat (IPS engine)
-
Anti-Malware - traffic that included malware files, includes both outbound and inbound
-
The IPS widgets provide information and threat data about traffic that was blocked by the IPS engine. The threat data is based on the IPS events that were generated by your account. These are the IPS widgets:
-
Threats Type - Shows the name of the IPS threat type and the number of events for each type
-
Top Hosts - Shows a list of the top hosts (source IP address) with the number of IPS events for each host
-
Top Users - Shows the list of top users and their email address with the number of IPS events
The DNS Protection widgets provide information and threat data about traffic detected by the IPS engine in enforcing the DNS Protection policy. The threat data is based on the DNS Protection events that were generated by your account. These are the DNS Protection widgets:
-
Threats Type - Shows the name of the type of DNS category and the number of events for each type
-
Top Domains - Shows a list of the top domains that were blocked with the number of DNS protection events for each domain
-
Top Hosts - Shows a list of the top hosts (source IP address) with the number of DNS protection events for each host
The Anti-Malware widgets provide information and threat data about malicious files that were blocked by the Anti-Malware and SentinelOne Next Gen Anti-Malware engines. The threat data is based on the Anti-Malware events that were generated by your account. These are the Anti-Malware widgets:
-
Top Files - Shows the file name of the malicious file and the number of events for each file
-
Top Hosts - Shows a list of the top hosts (source IP address) with the number of Anti-Malware events for each host
-
Top Users - Shows the list of top users and their email address with the number of Anti-Malware events
0 comments
Please sign in to leave a comment.