Incident Logs

Navigate to Threats > Incident Logs to view the threat intelligence incident logs created by Threat Defender.

By default, the log displays all incidents contained in the database. You can create nine different downloadable PDF reports of the incident logs that vary with respect to the reporting period and the reported data by clicking the respective button at the top of the screen.

The chart and the Incident Logs table next to it display the incidents logged in the previous 24 hours over time and by severity. If you click a section of the chart or the table, the log is automatically filtered accordingly.

You can also filter the log entries using the filter_icon filter field above the log table. Alternatively, you can filter the log table by hovering the mouse over one of the cells and clicking filter_icon to include or filter-remove_icon to exclude matching elements in the filtered results.

Filtered views display the active filters. Click delete_icon to remove the respective filter option.

Incident Details

To see further details on a log entry, click view_icon in the last table column or double-click its row. The details page displays the available information on the logged TI incident in several tabs.

Click CREATE FULL REPORT or CREATE SUMMARY REPORT at the top of the screen if you wish to create a downloadable PDF report on the incident. The full report contains all information from all tabs displayed in the details page. The summary report contains only the information on the Event tab.

The Event tab provides an overview of the logged incident:

Field

Description

Created At

The date and time the incident was logged.

Severity

The severity of the detected incident.

Action

The rule action logged for the incident. Actions are allow, reject and drop.

Policy

The policy involved. Click the policy to directly access the correlation scenario under Advanced Correlation.

Rule

The name of rule that logged the incident. Click the rule to directly access the relevant section in Analytics.

Indicator Value

The value of the detected indicator.

IPS Rule

The IPS rule that was triggered. Click the rule to access its entry in the threat intelligence database of Threat Defender.

Classification

Under classification, you see the application and/or protocol involved in the incident. Click the entry to directly access the relevant section in Analytics.

User

Click the analytics_icon icon and/or the name of the user involved in the incident to access the relevant section in Analytics.

Transport

The transport protocol used.

VLAN

The VLAN ID of the flow involved of the incident.

Flow Id

The ID of the flow involved in the incident.

URL

The URL involved in the incident.

Source/Destination

This table displays source and destination information on the traffic flow involved in the incident: interfaces, assets, MAC and IP addresses, locations, ports and countries. Many of the entries are links that take you to the relevant sections in Analytics.

In addition to information on the incident itself, the details page also aggregates the following data, where available:

  • The Related Indicators tab shows information on any indicators related to the incident.

  • The Source Asset and Destination Asset tabs display excerpts from the assets database with information on the source and destination assets involved in the incident. See Asset Details for further information on the data tables.

  • The User tab provides information on the user of the source asset from the users database. See User Details for further information on the data tables.