Incident Logs
Navigate to Threats > Incident Logs to view the threat intelligence incident logs created by Threat Defender.
By default, the log displays all incidents contained in the database. You can create nine different downloadable PDF reports of the incident logs that vary with respect to the reporting period and the reported data by clicking the respective button at the top of the screen.
The chart and the Incident Logs table next to it display the incidents logged in the previous 24 hours over time and by severity. If you click a section of the chart or the table, the log is automatically filtered accordingly.
You can also filter the log entries using the filter field above the log table. Alternatively, you can filter the log table by hovering the mouse over one of the cells and clicking to include or to exclude matching elements in the filtered results.
Filtered views display the active filters. Click to remove the respective filter option.
Incident Details
To see further details on a log entry, click in the last table column or double-click its row. The details page displays the available information on the logged TI incident in several tabs.
Click Create Full Report or Create Summary Report at the top of the screen if you wish to create a downloadable PDF report on the incident. The full report contains all information from all tabs displayed in the details page. The summary report contains only the information on the Event tab.
The Event tab provides an overview of the logged incident:
Field |
Description |
---|---|
Created At |
The date and time the incident was logged. |
Severity |
The severity of the detected incident. |
Action |
The rule action logged for the incident. Actions are |
Type |
The type of the reported incident; |
Policy |
The policy involved. Click the policy to directly access the correlation scenario under Advanced Correlation. |
Rule |
The name of rule that logged the incident. Click the rule to directly access the relevant section in Analytics. |
Indicator Value |
The value of the detected indicator. |
IPS Rule |
The IPS rule that was triggered. Click the rule to access its entry in the threat intelligence database of Threat Defender. |
Classification |
Under classification, you see the application and/or protocol involved in the incident. Click the entry to directly access the relevant section in Analytics. |
User |
Click the icon and/or the name of the user involved in the incident to access the relevant section in Analytics. |
Transport |
The transport protocol used. |
VLAN |
The VLAN ID of the flow involved of the incident. |
Flow Id |
The ID of the flow involved in the incident. |
URL |
The URL involved in the incident. |
Source/Destination |
This table displays source and destination information on the traffic flow involved in the incident: interfaces, assets, MAC and IP addresses, locations, ports and countries. Many of the entries are links that take you to the relevant sections in Analytics. |
In addition to information on the incident itself, the details page also aggregates the following data, where available:
The Related Indicators tab shows information on any indicators related to the incident.
The Source Asset and Destination Asset tabs display excerpts from the assets database with information on the source and destination assets involved in the incident. See Asset Details for further information on the data tables.
The User tab provides information on the user of the source asset from the users database. See User Details for further information on the data tables.