The Triggered alerts tab shows the list of triggered alerts for analytics rules with brief details about each one. A triggered alert is a set of events grouped under an analytics rule.
The following triggered alert details are shown.
|
Name |
Description |
|---|---|
|
Node |
The LogAn node name. |
|
Time |
The date and time when the analytics rule was triggered. |
|
ID |
The triggered alert ID. |
|
First event time |
The time of the first event included in the triggered alert for the analytics rule. |
|
Last event time |
The time of the last event included in the triggered alert for the analytics rule. |
|
Events number |
The number of events included in the triggered alert for the analytics rule. |
|
Rule |
The name of the triggered analytics rule. |
|
Category |
The category to which the triggered alert belongs. The following predefined categories are available:
Additional triggered alert categories can be defined in the General settings --> Libraries --> Triggered alert categories section. |
|
Priority |
The priority of the triggered alert specified in the analytics rule settings:
The priority indicates the severity of the triggered alert. |
|
User |
The username. |
|
Signatures |
The name of the triggered IPS signature. |
|
Source zone |
The zone from which connection is established. |
|
IP source |
The source IP address. |
|
Source port |
The source port. |
|
Destination zone |
The destination zone. |
|
IP destination |
The destination IP address. |
|
Destination port |
The destination port. |
The administrator can select to display only the columns they need. To do that, point the mouse cursor to the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.
Two search modes are available, basic and advanced. The basic mode uses a GUI, while the advanced mode allows you to create more complex search filters using a specialized query language whose syntax is described in the Data Search and Filtering section.
To save the configured filter, click Save as. To view the list of saved search filters, click Favorite filters.
To view the triggered alert details (brief information about the selected triggered alert), click Show.
Clicking the Show details button will take you to the Triggered alert details tab showing details about the selected triggered alert. This tab is discussed in the next section, Triggered Alert Details.
The selected triggered analytics rule alert can be added to an incident by clicking Add to incident.
By clicking Export as CSV, the administrator can save the filtered log data in a .csv file for subsequent analysis.