Using the Threats Dashboard

This article discusses how to use the Threats Dashboard to get a quick overview of threats related to IPS, DNS Protection, and Anti-Malware in your network. You can then drill-down and analyze the threat types and easily open the relevant events.

Overview of Threats Dashboard

The Threats Dashboard lets you view the malicious and suspicious threat activity in your network identified by the Anti-Malware and IPS engines, including DNS Protection. The screen contains a number of widgets that provide visibility for threat activity. The screen also lets you add items to the threats filter to drill-down and focus on the relevant threat data and events in your account.

When you manually create a filter or add an item to the update filter, the threat data on the Threats Dashboard screen is automatically updated. The View Events feature opens the Events screen and lets you easily view the relevant events based on the filter in Threats Dashboard.

Getting Started with Threats Dashboard

The Threats Dashboard screen shows the total threat activity over the time range. There are several rows of widgets in the screen:

  • General security engine threat summary

  • IPS threat summary

  • DNS Protection summary

  • Anti-Malware summary

ThreatsDashboard_Callouts.png

Item

Name

Description

1

Events filter bar

Shows the filters that are applied to the events. Click Add2.png (Add) to manually configure the settings for a filter.

2

Time range

Select the time range for the threat data that is shown in the screen.

3

Threat widgets

A summary of threats according to threat name, timeline and their physical location

4

IPS widgets

IPS threats according to the threat type, top hosts, and top users

5

DNS Protection widgets

DNS Protection threats according to threat type, top domains, and top hosts

6

Anti-Malware widgets

Anti-Malware threats according to the file name, top hosts, and top users

Configuring Filters to Analyze Threat Data

There are two ways to filter the data in the Threats Dashboard and show the items that are most relevant: automatically update the filter with the selected item, or manually configure the filter.

Automatically Filtering for an Item

As you hover over an item or field where a filter option is available, the TD_Filter.png button appears. Click the icon to show the filter options:

  • Add to Filter - Adds the item to the filter, and the Threats Dashboard now only shows data that includes this item. For example, if you filter for the specific user, the screen only shows threat data that is related to that user. No other threat data is available until you change or clear the filter.

  • Exclude from Filter - Updates the filter to exclude this item, and the Threats Dashboard now only shows data that does NOT include this item.

  • View Events - Adds this item to the filter, and the Events page opens and shows all the events that match the filter.

You can continue to add items to the filter, click TD_Filter.png again to update the filter and drill-down further.

Selecting the Time Range

The default time range for the threat data is the previous two days. You can select a different time range for the Threat Dashboard to show a longer or shorter time period. For more information, see Setting the Time Range Filter.

The maximum date range for the Threats Dashboard is 90 days.

Manually Configuring the Filter

You can manually configure the filter for greater granularity to analyze the threat activity. After you configure the filter, it is added to the filter bar and the screen is automatically updated to show the threat data that matches the new filter.

TD_ManualFilter.png

To manually configure a filter:

  1. In the filter bar, click Add2.png.

  2. Start typing or select the Field.

  3. Select the Operator, which determines the relationship between the Field and the Value you are searching for.

  4. Select the Value.

  5. Click Add Filter. The filter is added to the filter bar and the Threats Dashboard is updated to show results based on the filters.

Clearing the Filter

You can remove each item in the filter separately, or clear the entire filter.

TD_ClearFilter.png

To clear the filters for the Threats Dashboard:

  1. To clear a single filter, click remove.png next to the filter (item 1 above).

  2. To clear all the filters, click X at the right end of the filter bar (item 2 above).

Working with Threats Dashboard Widgets

The Threats Dashboard widgets give you a high-level overview of suspicious and malicious threats in your network.

Understanding the Threat Widgets

The threat widgets provide information about the threats detected by the IPS and Anti-Malware engines. These are the threat widgets:

  • Top Threats - Shows top threats according to the threat name and the number of events for each one.

  • Threats Timeline - Shows the number of filtered threats. Each threat type is represented by a different color.

    • Hover over the timeline to show the exact threat data for that time bucket.

    • Click a threat type to exclude it from the Threats Dashboard, the screen is automatically updated.

    • Use the mouse to select a smaller time range for the threat data, the screen is automatically updated.

  • Top Countries - Map of the top physical locations for inbound and outbound traffic:

    • Outbound - traffic from an internal host to the Internet which violates your security policy (IPS engine)

    • Inbound - traffic using remote port forwarding (RPF) to access an internal host which contained a threat (IPS engine)

    • Anti-Malware - traffic that included malware files, includes both outbound and inbound

Understanding the IPS Widgets

The IPS widgets provide information and threat data about traffic that was blocked by the IPS engine. The threat data is based on the IPS events that were generated by your account. These are the IPS widgets:

  • Threats Type - Shows the name of the IPS threat type and the number of events for each type

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of IPS events for each host

  • Top Users - Shows the list of top users and their email address with the number of IPS events

Understanding the DNS Protection Widgets

The DNS Protection widgets provide information and threat data about traffic detected by the IPS engine in enforcing the DNS Protection policy. The threat data is based on the DNS Protection events that were generated by your account. These are the DNS Protection widgets:

  • Threats Type - Shows the name of the type of DNS category and the number of events for each type

  • Top Domains - Shows a list of the top domains that were blocked with the number of DNS protection events for each domain

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of DNS protection events for each host

Understanding the Anti-Malware Widgets

The Anti-Malware widgets provide information and threat data about malicious files that were blocked by the Anti-Malware and SentinelOne Next Gen Anti-Malware engines. The threat data is based on the Anti-Malware events that were generated by your account. These are the Anti-Malware widgets:

  • Top Files - Shows the file name of the malicious file and the number of events for each file

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of Anti-Malware events for each host

  • Top Users - Shows the list of top users and their email address with the number of Anti-Malware events

Was this article helpful?

2 out of 3 found this helpful

0 comments

Add your comment