Incident Logs

Navigate to Threats > Incident Logs to view the threat intelligence incident logs created by Threat Defender.

By default, the log displays all threat intelligence log incidents contained in the database. You can create nine different downloadable PDF reports of the incident logs that vary with respect to the reporting period and the reported data by clicking the respective button at the top of the screen.

The chart and the Incident Logs table next to it display the incidents logged in the previous 24 hours over time and by severity. If you click a section of the chart or the table, the log is automatically filtered accordingly.

You can also filter the log entries using the filter field above the log table. Alternatively, you can filter the log table by hovering the mouse over one of the cells and clicking or . By clicking you include matching elements in the filtered results. By clicking you exclude the respective elements from the results.

Filtered views display the active filters. Click to remove the respective filter option.

The log table contains the following information:

Field Description
Created At The date and time the incident was logged.
Severity The severity of the detected incident.
Action The rule action logged for the incident. Actions are allow, reject and drop.
Rule The rule that logged the incident.
Indicator The detected indicator.
Classification The application and/or protocol involved in the incident separated by a colon.
Assets The source and destination assets involved in the incident.
IP Addresses The source and destination IP addresses of the flow involved in the incident.
Ports The source and destination ports of the flow involved in the incident.
Countries The source and destination countries of the flow involved in the incident.

Incident Details

To see further details on a log entry, click in the last table column or double-click its row. The details page displays the available information on the logged TI incident in several tabs.

Click CREATE FULL REPORT or CREATE SUMMARY REPORT at the top of the screen if you wish to create a downloadable PDF report on the incident. The full report contains all information from all tabs displayed in the details page. The summary report contains only the information on the Event tab.

The Event tab provides an overview of the logged incident:

Field Description
Created At The date and time the incident was logged.
Severity The severity of the detected incident.
Action The rule action logged for the incident. Actions are allow, reject and drop.
Policy The policy involved. Click the policy to directly access the correlation scenario under Advanced Correlation.
Rule The name of rule that logged the incident. Click the rule to directly access the relevant section in Analytics.
Indicator Value The value of the detected indicator.
IPS Rule The IPS rule that was triggered. Click the rule to access its entry in the threat intelligence database of Threat Defender.
Classification Under classification, you see the application and/or protocol involved in the incident. Click the entry to directly access the relevant section in Analytics.
User The user involved in the incident. Click the user to directly access the relevant section in Analytics.
Transport The transport protocol used.
VLAN The VLAN ID of the flow involved of the incident.
Flow Id The ID of the flow involved in the incident.
URL The URL involved in the incident.
Source/Destination This table displays source and destination information on the traffic flow involved in the incident: interfaces, assets, MAC and IP addresses, locations, ports and countries. Many of the entries are links that take you to the relevant sections in Analytics.

In addition to information on the incident itself, the details page also aggregates the following data, where available:

  • The Related Indicators tab shows information on any indicators related to the incident.
  • The Source Asset and Destination Asset tabs display excerpts from the assets database with information on the source and destination assets involved in the incident. See Asset Details for further information on the data tables.
  • The User tab provides information on the user of the source asset from the users database. See User Details for further information on the data tables.

results matching ""

    No results matching ""