Analysis

Analysis is a basic interface element that is displayed right after logging into the application. The Analysis page provides an overall picture of what is happening on the network. It consists of two tabs - Methods and IDS Categories. The Methods tab allows you to browse events detected by the Anomaly Detection System. The IDS categories tab is only available when the IDS Collector is enabled (for more information, refer to the IDS Collector page) and can be used to browse events from the IDS collector. You can search for a specific event by a given ID or a specific FPI traffic record by clicking Choose events by ID which is in the top-right corner of the page. The default view shows events for the last 24 hours with the possibility of adjusting the view by various search criteria (see the sections below).

Filtering section

The filtering criteria used to adjust displayed content differs for events detected by the Anomaly Detection System and events from the IDS collector. In the following subsections, the filtering criteria are divided based on whether they can be used for both types of events, or only for specific type of event:

Common filtering options:

• Date: The relevant period for displaying information. You can specify the period directly or you can choose it from an associated calendar (Custom time interval).

• Refresh button: If this is enabled, the data automatically refreshes every 5 minutes.

• Source IP: Displays events only for the IP addresses specified in this field. It is possible to enter IP addresses in the following formats:

  • Single IP address, for IP versions 4 and 6 (for example, 192.168.2.1, 2001:db8::beef) or a comma-separated list of single IP addresses

  • Network address or mask, for the IP version 4 and 6 (for example, 192.168.1.0/24, fc00::/7)

  • Range of IP addresses, for the IP versions 4 and 6 (for example, 10.0.1.2-10.0.1.10, fe80::-fe80::ffff)

  • Wildcards notation of IPv4 addresses (enumeration, range, all), only a single wildcard can be used in one IP address. Examples:

    • 192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1 and 192.168.20.1

    • 10.[1-3].0.0: IP addresses 10.1.0.0, 10.2.0.0 and 10.3.0.0

    • 172.16.*.1: Same as 172.16.[0-255].0

Filtering options for the ADS events:

• Perspective: The events are displayed according to the selected priority.

• Data feed: Allows you to display only events that were detected by inspecting the flows from the specified data feed.

Filtering options for the IDS events:

• IDS data source: Allows you to display only events that were received by the IDS collector from a specific source.

• Targets: Displays only events that contain specified IP addresses as their targets. IP addresses can be entered in the same formats that are described above for the Source IP address.

Summary section

This section briefly describes what is happening in the monitored network and should help with faster orientation and selection of what to focus on. The information is grouped into four different categories:

• Flows/s - Provides an overview of the number of processed flows per second in addition to a comparison of how this value differs from the previous interval and (if the license limit is exceeded) the percentage of dropped flows and the number of dropped flows per second.
• Events - Presents the host with the highest number of events, and (if that makes sense) the host with the most significant change in event count too.
• Threat score - Presents the host with the highest threat score, and (if that makes sense) the host with the most significant change in Threat score too. (See the By Hosts page for what the Threat score is.)
• Methods - Presents methods that did not trigger any event in a previous interval or methods with a significant increase in trend compared to the previous interval. In a situation where too many methods would be shown, only the most significant methods (in terms of the highest increase in trend or priority) are present.

Charts section

The Flows chart is only available on the Methods tab. It displays the number of flows per second in a specified time interval. If the license is exceeded it will also show the number of unprocessed flows. On the right side of this chart, there is an indicator of the flow processing status. The Events chart is a stacked column chart that visualizes the count of events according to their type or priority. It is possible to switch between these two types of displays with buttons in the top-right corner of the chart.

You can filter the displayed data using checkboxes on the right side next to the chart.

You can extend this view by clicking the button in the upper-left corner of this section. It is possible to filter displayed events according to their priority or event type based on the view that is currently active. Data displayed in the chart is affected by the selected filtering options described above.

The chart provides a context menu that is displayed after hovering over the graph. It is possible to use this menu over the selected interval to zoom in, zoom out, reset the zoom to get the data from the default time period, or shift the selected interval. On the Methods tab, the context menu also contains a special button that allows you to display the chart data in other views (Aggregated view, Simple list, By hosts, and By MITRE). This is all possible using the following buttons:

The button above the Events chart opens the chart settings menu. This menu provides configuration options that can temporarily (until the page reloads) switch the scale of the vertical axis (Linear, Logarithmic) and the color scheme of the graph (Modern, Contrast). A permanent change of the settings is possible on the User Settings page (the link is included in the chart settings menu).

Events by priority section

This part of the user interface contains a summary of all events that were created and their count for each event type. Events in the section Events by priority can be filtered as per the settings in the Events chart. On the right side of the table, there is a sparkline that visualizes trend analysis for each event type by comparing the selected time range (in the Events graph) and the preceding time range of the same length. On the far right side of the table, it is possible to see a calculated trend in percentages. The direction of the trend is visualized by an arrow. The red arrow pointing up without percentages means that the preceding time range does not contain any events to compare. More details about the comparison can be displayed by clicking twice on the sparkline. The first click on the sparkline loads details about the preceding time range and the second displays the comparison.

Each row in the table can be expanded to display more detailed information. The number of IP addresses displayed is limited to the 10 most important records. It is also possible to show more records.

The IP address row contains:

• Source IP address

• Source IP filters (only on the Methods tab)

• Events count

• Related events

Actions are available in the context menu.

Each IP address row can be expanded to display a graph that captures the detected activity of a particular IP address in the selected time period. Under the graph, there is a list of events. The number of displayed events is limited to the 10 most important records. It is also possible to show more records.

The event row contains various attributes. Some of them are common for all events but there are also specific ones for events detected by the Anomaly Detection System or events from the IDS collector.

Common attributes:

• Event ID - allows opening event detail in a new browser tab

• Detection time

• Time of the last event update

• Detail

• Targets

Attributes specific to the ADS events:

• Data feed

• Method instance

• Comments

• Categories

• Applications

Attributes specific to the IDS events:

• Log source IP

• Log source interface

Actions are available in the context menu.

The button in the Events by priority header opens a settings menu. This menu provides configuration options that can temporarily (until the page reloads) turn off/on the filtering of the results as per the settings in the Events chart and toggle on/off the trend analysis graphs in the table. A permanent change of the settings is possible on the User Settings page (the link is included in the settings menu).