Event Detail

The Event detail view is available through the context menu that you activate by clicking the three dots icon at the end of the row of a detected event. Another way to open the Event detail view is to click the ID of a detected event. Event details include all available information related to an event (for detailed descriptions, see the section below).

Control bar

The control bar contains the event ID and the following actions:

• Copy event ID: Clicking the icon next to the event ID copies the event ID to the clipboard.

• Dock window: Opens the event detail in a new ADS tab.

Event header

The event header contains the detection method and submethod (or the name of an IDS category) and the following actions:

• Initiate response: Allows manual triggering of a custom script. When clicked, it opens a window for specifying the script's attributes. The opened event is provided as input to the script. The perspective and priority fields are left empty.

  • Custom script: The custom script to be executed. Scripts can be uploaded by the admin user in Settings → System Settings → Custom scripts. For more info about adding a new script, see the Custom Scripts Guide.
  • Parameters: Parameters for the custom script (based on the selected script).
  • Log script trigger: The execution of the script is logged as an event comment. This can be used by an admin user or non-admin user if the event categorization is allowed for non-admin users in Settings → System Settings → General settings . The Event detail must be reloaded for the comment to be visible.

• Mark as False Positive: Allows you to create a false positive rule with prefilled parameters based on the opened event.

Event labels

There are two labels that may appear next to the name of the detection method and submethod inside the Event header:

• False positive: This label is present when the event is considered a false positive (according to the rules for marking events as false positives currently in effect). You can mark an event as a false positive by using the Mark as false positive option in the context menu or through a button in the Event detail. When marking an event, you must enter the expiration time of the false positive rule (individual days of the week, time tolerance). Marking an event as a false positive means that an event of the same type and originator will not be generated if the false positive rule is in effect.

• Probability: This label is present when the certainty of the detected behavior being an actual event is less than one hundred percent.

Information in an Event detail

The information available in Event detail differs based on whether an event is detected by the Anomaly Detection System or received by the IDS collector. Both types of events share the following information:

• Detail: Detailed information on the event.

• Detection time: Date and time when a particular event was detected.

• Last update: Date and time when a particular event was updated for the last time.

• First Flow: Timestamp of the first flow on which the event detection was based.

• Duration: The duration between the Detection time and the Last update time.

• Event source: Originator of an event (IP address).

• User identity: User ID obtained from a domain controller (for more information see the Flowmon collector documentation).

The following information is only available for events detected by the Anomaly Detection System:

• Captured source hostname: DNS name assigned to the IP address at the time of event detection.

• MAC address: MAC address (the most used) detected in relation to the event source IP.

• Detected by instance: Name of the instance of detection method that generated the event.

• Data feed: Flow data source on which the event was generated.

• Categories: Categories assigned to the event. You can manage the assigned categories using the add or edit button.

The following information is available only for events received by the IDS collector:

• Source port: A source port of communication on which the detection was performed.

• Destination port: A destination port of communication on which the detection was performed.

• Log source interface: Name of the interface where the event was detected.

• Log source IP: The IP address of the source where the event was detected.

Tabs

Some information is also structured in tabs. Similarly (as above) some of them are available for both event types (those detected by the Anomaly Detection System and those received by the IDS collector). These are the following:

• Targets: Event targets (a list of IP addresses). The targets can be grouped by individual countries, address prefixes, or applications.

• Attributes: Each event consists of attributes that provide additional information about the detected event. The attributes may vary depending on the event method and the event type (detected by the Anomaly Detection System or received by the IDS collector). The values of the most important attributes in ADS events are also included in the text string displayed in the Detail field.

• Event visualisation: Displays interactive event visualisation. For more info see the Interactive Event Visualisation chapter.

• Related IDS events: Shows events from the IDS Collector module which may be related to ADS events. By default, the source IP of an event in Flowmon ADS (Search by source IP option) is used for searching IDS events. If the source IP of the ADS event is equal to the source or destination IP of the IDS event, the IDS event is selected. Similarly, the IDS events can be searched by ADS event target IPs (Search by destination IPs option). If one of the targets of the ADS event is equal to the source or destination IP of the IDS event, the IDS event is selected. If both options are unchecked, an IDS event with any source or destination IP is selected. IDS events are searched in time interval Detection time +/- 10 minutes.

Tabs available only for events detected by the Anomaly Detection System:

• Info: This tab contains three subsections:

  • Summary: Summary of the event with information about detected MITRE ATT&CK tactics and techniques that are assigned to the detected event (for more information, refer to the following section: MITRE ATT&CK framework). The names of the MITRE ATT&CK tactics/techniques are clickable. When you click them, the prompt is displayed and you are warned that you are being redirected to an external page. The redirect leads to the official MITRE ATT&CK framework pages with the description of the selected tactic/technique. It is possible to disable the prompt for future redirects. You can enable it again in Settings → System Settings → User preferences. Refer to the following section for further details: User Preferences.
  • Recommendations: A set of recommendations that provide guidance, helping you validate detections to determine whether they are security incidents, misconfigurations, or another type of issue.
  • Actions: A set of actions useful for investigation of the ADS event. Actions include direct links to other relevant parts of Flowmon or Flowmon ADS.

• Comments: It is possible to attach a comment to every event. These comments are then ordered chronologically. A comment always includes the author (User) and timestamp of comment insertion (Time). Comments can be change (pencil icon) or deleted (dustbin icon), depending on the author and the currently logged-on user. It is always possible to add a new comment (New comment).

• Event evidence: Displays flows from which the event has been detected. For more info see the Event evidence chapter.

Tabs available only for events received by the IDS collector:

• Related flows: Events that are received by the IDS collector are detected based on the Full Packet Capture approach (in contrast to the Anomaly Detection System that uses flow data). The section Related flows, therefore, displays flows that correspond to the packets, on which the detection was performed.