Perform this task to display security events that occurred in the network, helping administrators monitor and handle them in real time.
The event center displays the following information:

·     Event details: Display detailed information for all related events.

·     Event summary: Display correlated events by event type, severity level, and other dimensions in charts.

·     Correlation rules: Correlate and aggregate the log data reported by collectors. One correlated event is output for all logs matching the same rule and is displayed on the event details page.

View event details

Perform this task to display detailed information about security events that occurred in the network, including the original log of an event, name and details of the correlation rule that the event matches, and the ack state of the event.

Procedure

1.     Select Event Center > Event Details.

2.     View event details: Search event information by event name, severity level, or rule name.

3.     Export correlation events: After searching correlation events by criteria, click Export to export matching events to a spreadsheet and download them locally. If no search criteria are specified, all events will be exported. You can export a maximum of 100,000 events.

4.     Acknowledge correlation events: Select one or more correlation events, and then click Bulk Ack to mark the events as acknowledged.

5.     View Detailed Information about the Matching Correlation Rule: Click the correlation rule name in the Rule Name column for an event to view detailed information about the correlation rule that the event matches.

6.     View Detailed Information about Event Original Logs: Click the number in the Total Logs Retrieved column for an event to view detailed information about all original logs that match the correlation rule and generate the event.

Parameters

·     Created At: Time when the system detected a correlated event.

·     Event Severity: Severity of the event.

·     Event Name: Name of the event, which is defined in the correlation rule.

·     Original Event Name: Event name recorded in original logs.

·     Source IP: Attack source IP.

·     Source Port: Port from which the attack originates.

·     Destination IP: Attack destination IP.

·     Destination Port: Target port of the attack.

·     Rule Name: Name of the correlation rule that output the event. To view detailed information about the correlation rule, click the rule name.

·     Event Description: Description of the event, which is defined in the correlation rule.

·     Total Logs Retrieved: Total number of original logs that match the correlation rule and generate the event. To view detailed information about the original logs, click the number.

·     Ack State: Acknowledge state of the correlation event. The default state is unacknowledged. An acknowledged state indicates that the correlation event has been acknowledged.

View log details

Use this feature to display detailed information about logs for an event.

Procedure

1.     Select Event Center > Event Details.

2.     To view detailed information for all logs for an event, click the digit in the Total Logs Retrieved column for that event.

Parameters

·     Log Type: Type of the log, such as threat log or operation log.

·     Log Severity: Severity level of the log.

·     Log Generated at: Time at which the log was generated.

·     Device IP: IP address of the log source device.

·     Device Name: Name of the log source device.

·     Source IP: Source IP address recorded in the log.

·     Destination IP: Destination IP address recorded in the log.

·     Details: To view detailed analysis information for a log, click the icon in the Details column for that log.

View event summary

This page displays statistics about correlated events from multiple dimensions in a time span. By default, this page displays event statistics by event type, severity, device type, attack destination port, source IP, and destination IP in charts. You can customize the data to be displayed in a chart and the presentation of the chart.

Procedure

1.     Select Event Center > Event Summary.

2.     Select a time span. By default, the page displays security event information in the last 24 hours.

3.     To customize the data to be displayed in a chart and the presentation of that chart, click Customize in the upper right corner of the chart area. In the dialog box that opens, configure the following parameters, and then click OK:

○          Chart Name: Set the chart name to be displayed in the upper left corner of the chart area.

○          Statistics Object: Select the type of data to be displayed.

○          Chart Type: Select the presentation of the chart. Options are Line Chart, Pie Chart, and Bar Chart.

Features

·     Events by Event Type

Display security event statistics by event type in a chart. The statistics include the top 10 security events with the highest number of occurrences and the number of occurrences for each of the events.

·     Events by Severity

Display security event statistics by severity in a chart. The statistics include the total number of events at each severity level.

·     Events by Device Type

Display security event statistics by device type in a chart. The statistics include the top 10 types of devices that reported the most security events and the total number of security events reported by each of the device types.

·     Events by Attack Destination Port

Display security event statistics by attack destination port in a chart. The statistics include the top 10 attack destination ports and the number of times each of the ports was attacked.

·     Events by Source IP

Display security event statistics by source IP in a chart. The statistics include the top 10 source IP addresses correlated with the most security events and the number of events correlated with each of the source IPs.

·     Events by Destination IP

Display security event statistics by destination IP in a chart. The statistics include the top 10 destination IP addresses correlated with the most security events and the number of events correlated with each of the destination IPs.

Restrictions and guidelines

Only correlation events triggered by rules that match the security log type will contain the event type field. If a correlation rule contains multiple sub-rules, the security log type must be matched by the last sub-rule to include this field.

Manage correlation rules

Correlation rules are used to analyze the logs reported to the platform within a specific period of time. The logs matching a correlation rule will be aggregated to generate an event, which will be displayed on the Event Details page. You can monitor the security status of the entire network and troubleshoot problems according to the events. The system supports the following types of correlation rules:

·     Predefined: The system has multiple built-in correlation rules that help the system correlate and analyze massive traffic logs to detect abnormal traffic. Predefined correlation rules cannot be edited or deleted. You can only enable or disable them.

·     User-defined: You can customize correlation rules as needed and manage them, including adding, deleting, enabling, and disabling correlation rules.

View correlation rules

Perform this task to view information about correlation rules.

Procedure

1.     Select Event Center > Correlation Rules.

2.     You can search for correlation rules by rule name, event name, and other filters. Enter the search conditions and then click Search to view the matching correlation rules. To use the default filters, click Reset.

Parameters

·     Rule Name: Name of the correlation rule, which uniquely identifies the rule.

·     Configuration Type: Type of the correlation rule, which can be predefined or user-defined.

·     Event Name: Name of the event generated according to the correlation rule.

·     Event Description: Description for the event. Configure a proper description to help you quickly identify the event.

·     Event Severity: Severity level of the event generated according to the correlation rule.

·     Hit Count: Number of events generated according to the correlation rule.

·     Rule State: State of the correlation rule, On (enabled) or Off (disabled).

Manage predefined correlation rules

Predefined correlation rules cannot be edited or deleted. You can only enable or disable them. The correlation rule settings mainly include rule and event settings and subrule settings.

Procedure

1.     Select Event Center > Correlation Rules.

2.     To view detailed information about a predefined correlation rule, click Details in the Actions column for that rule.

Parameters

Rule and Event

·     Rule Name: Unique identifier of the correlation rule.

·     Rule Description: Description of the correlation rule, which helps administrators quickly understand and identify the rule.

·     Time Window: Period for event matching. The system matches events against the correlation rule only if they arrive at the system within the time window. The time window can be measured in seconds, minutes, or hours. The value must be a positive integer and in the range of 1 minute to 24 hours.

·     Event Name: Name of the event that matches the correlation rule.

·     Event Description: Description for the event that matches the correlation rule. You can directly enter a description or add placeholders (%) before and after certain variables to generate a description with variable replacement, for example, % Host Name% is under %attack type% attack. The attack name is %attack name%.

·     Event Level: Severity level of the event that matches the correlation rule. Options include Low Risk, Medium Risk, High Risk, and Critical.

Subrule Settings

Subrules are used for matching original logs.

·     Subrule Name: Unique identifier of the correlation rule.

·     Log Type: Type of the logs to be matched. The subrule only matches against the specified type of logs.

·     Aggregation Mode: Implements event aggregation for logs matching the subrule. For example, if a device collects 100 brute force attack logs that match the subrule, it reports events to the system according to the aggregation configuration. If aggregation is not configured, the system reports security events based on the configured aggregation conditions. By default, aggregation is not enabled for the system.

·     Group Field: Perform initial log aggregation for matching logs by the selected fields. Logs with the same field values are aggregated into one log. For example, the device might receive 100 brute force attack logs that match the subrule. To report them as aggregate logs based on the attack source, specify Group Field as User Login IP.

·     Group Statistics Count: If the number of aggregated logs is greater than or equals to the specified value, the device will report those aggregate logs as events. If the number of aggregated logs is smaller than the specified value, the device will not report those aggregate logs as events. For example, the device might receive 100 brute force attack logs that match the subrule. If you specify Group Field as User Login IP, the device will aggregate those logs by user login IP. Provided that you set the group statistics count to 10, if the number of aggregated logs is greater than or equals to 10 (the number of login users is not smaller than 10), the device will report the aggregate logs as events. If the number of aggregated logs is smaller than 10, the device will not report the aggregate logs as events.

·     Inheritance Policy: If you specify Earliest Time, the device will select the earliest log as the aggregate log, or report the earliest log as an event. If you specify Latest Time, the device will select the latest log as the aggregate log, or report the latest log as an event.

·     Match Conditions

○          Set the logical relationships among multiple conditions.

○          Configure a match condition: Connect a key field and the real value with a symbol or string.

Restrictions and guidelines

·     If you configure a security event description with certain variables surrounded by placeholders (%), the fields will be replaced with real values on the Event Details page.

·     Disabling a correlation rule will not affect the display of data matched before the rule is disabled.

Add a correlation rule

Perform this task to add a correlation rule. The correlation rule settings mainly include rule and event settings and subrule settings.

Procedure

1.     Select Event Center > Correlation Rules.

2.     Click Add. Configure the parameters, and then click OK.

3.     You can use the on and off buttons to change the rule state.

Parameters

Rule and Event

·     Rule Name: Name of the rule, which uniquely identifies the rule.

·     Rule Description: Description for the rule. Configure a proper description to help you quickly identify the rule.

·     Time Window: Period for event matching. The system matches events against the correlation rule only if they arrive at the system within the time window. The time window can be measured in seconds, minutes, or hours. The value must be a positive integer and in the range of 1 minute to 24 hours.

·     Event Name: Name of the event that matches the correlation rule.

·     Event Description: Description for the event that matches the correlation rule. It can be a fixed string or a string that uses variables identified by placeholder % before and after specific fields, for example, %Attack destination% suffered %attack type% attack, attack name %asset name%.

·     Event Level: Severity level of the event that matches the correlation rule. It can be low, medium, high, and critical.

Subrule Settings

Perform this task to configure subrules for matching original logs. Subrules have the following types:

·     Statistics Correlation: Only one subrule is allowed. The system generates an event if logs reported within the time window meet the match conditions and match the statistics count of the correlation rule.

·     Time Sequence Correlation: Configure two to five subrules. The system generates an event if logs reported within the time window meet the match conditions and match the statistics count of all subrules in chronological order. (The subrules are matched in the order they were added.) To add a subrule, click Add. On the page that opens, configure related parameters, and then click OK. To delete a subrule, click the delete icon in the Actions column for that subrule.

○          Log Type: Type of the logs to be matched. The subrule only matches against the specified type of logs.

○          Statistics Count: Hit count of the subrule.

○          Match Conditions

§     Set the logical relationships among multiple conditions: Supported logical relationships include AND, OR, and Custom. When you customize logical relationships, you can use OR and AND together to form a logical expression, for example, 1 and (2 or 3) and 4.

§     Configure a match condition: Connect a key field and the real value with a symbol or string. Options include =, !=, >, <, and like.

§     Add or delete a match condition: To add a match condition, click the  icon. To delete a match condition, click the  icon for that match condition.

Restrictions and guidelines

·     If you configure an event name or description by using placeholders % before and after specific fields, the specific fields will be replaced by real values of these fields when the events are displayed on the event list page. The specific fields can be attack type, attack name, attack destination, attack source, source address, destination address, host name, destination user, and source user.

·     As a best practice, do not set a long time window. A long time window will affect the matching performance.

·     After a correlation rule is disabled, the matching data displayed before the rule is disabled is not affected.

Enable correlation rules

Perform this task to enable correlation rules.

Procedure

1.     Select Event Center > Correlation Rules.

2.     Select the correlation rules to be enabled, and then click On above the correlation rule list to bulk enable the selected rules.

Restrictions and guidelines

Only the correlation rules displayed on the current page can be enabled.

Disable correlation rules

Perform this task to disable correlation rules.

Procedure

1.     Select Event Center > Correlation Rules.

2.     Select the correlation rules to be disabled, and then click Off above the correlation rule list to bulk disable the selected rules.

Restrictions and guidelines

Only the correlation rules displayed on the current page can be disabled.

Delete correlation rules

Perform this task to delete user-defined correlation rules.

Procedure

1.     Select Event Center > Correlation Rules.

2.     To delete a single user-defined correlation rule, click Delete in the Actions column for that rule. To bulk delete user-defined correlation rules, select the target rules, and then click Delete above the list.

Manage archiving

Perform this task to archive the alarms generated by the platform and delete the source alarm records.

Manage archive tasks

Perform this task to configure archive tasks. You can configure automatic or manual archive tasks to archive the existing alarm data and delete the source data.

Procedure

1.     Select Event Center > Archiving > Archive Tasks.

2.     Click Add. In the window that opens, enter the basic information.

3.     Click OK.

4.     To bulk delete archive tasks, select the target archive tasks, and then click Delete.

Parameters

·     Archive Task Name: Unique identifier of the archive task.

·     Archive Task Type: Type of the archive task. Manual: One-time archive operation. Auto: Regularly triggers archiving daily.

·     Start Time: Start date from which alarm data is archived for the manual archive task. You can specify the current day.

·     End Time: End date on which alarm data is archived for the manual archive task. You can specify the current day.

·     Task Execution Time: Time when the automatic archive task is triggered daily, accurate to seconds.

·     Archive Time Span: Full day, n days before the trigger time of the automatic archive task.

Manage archived files

Perform this task to view and download the archived files generated by archive tasks.

Procedure

1.     Select Event Center > Archiving > Archived files.

2.     On the page that opens, you can view the archived files generated by archive tasks.

3.     To view detailed information about an archived file, click Details in the Actions column for that file.

4.     To download an archived file, click Download in the Actions column for that file.

5.     To bulk delete archived files, select the target archived files, and then click Delete.