You can view the table of registered events and incidents on the Events and incidents tab in the Events section.
By default, the table of registered events and incidents is updated in real time. The beginning of the table displays the events and incidents with the latest dates and times when last visible.
The date and time when the event or incident was last visible may differ from the date and time of its registration (the date and time of registration is displayed in the Start column). For an event, the date and time when last visible may be updated during the event regeneration period for this type of event. For an incident, the date and time when last visible is updated according to the date and time of last occurrence of the events that are part of the incident.
The settings of events and incidents are displayed in the following columns of the table:
For an event that is not an incident – date and time of event registration. For an incident – date and time of registration of the first event included in the incident. In the table, you can view the date together with the time, or just the date or time by itself. To choose the information to display, select the check boxes opposite the Date and/or Time settings.
For an event that is not an incident, this is the date and time when the event last occurred. It may contain the date and time of event registration, or the date and time when the event regenerate counter value increased if the conditions for event registration were repeated during the event regenerate timeout. The value of the regenerate counter is displayed in the Total appearances column. For an incident, this is the latest date and time of last occurrence of events that are part of the incident. Just like with the Start column, you can view the date together with the time, or just the date or time by itself.
Header defined for the event type.
Calculated value for the event score. Event severity level is designated by a numerical score. Depending on the severity, the score may have one of the following colors:
Address of the source of network packets. You can enable or disable the display of addresses and ports of address information by using the following settings (their abbreviated names displayed in table columns are indicated in the parentheses): IP address, Port number (P), MAC address, VLAN ID (VID), and Application-level address. If additional address spaces were added to the application, you can enable or disable the display of the names of address spaces by using the Show address spaces setting when configuring the devices table.
Address of the destination of network packets. The display of address information can be configured the same way as the Source column.
Application layer protocol that was being monitored when the application registered the event.
This icon corresponds to the technology that was used to register the event.
For an event that is not an incident, this is the value of the regenerate counter after the event is registered within the event regenerate timeout. A value greater than 1 means that the conditions for event registration were repeated N – 1 times. The value 1 is displayed for the incident in this column.
Unique ID of the registered event or incident.
Information about applications that were running when event registration conditions occurred. An event saves the application data received from EPP applications.
Information about the user account that was used to start the application specified in the Application column.
This icon corresponds to the status of an event or incident.
Description specified for the event type.
For an event that is not an incident, this is the date and time when the Resolved status was assigned, or the date and time of the event regenerate timeout. For an incident, this is the latest date and time of the end of events that are part of the incident. Just like with the Start column, you can view the date together with the time, or just the date or time by itself.
For an event that is not an incident, this is the name of the Process Control rule or Intrusion Detection rule whose triggering caused the registration of the event. For an incident, this is the name of the correlation rule whose triggering caused the registration of the incident.
Monitoring point whose traffic invoked registration of the event.
Numerical code assigned to the event type.
This is a selection of icons that you can set for any event or incident so that you can easily find events and incidents based on a criterion that is not in the table.
When viewing the table of events and incidents, you can use configuration, filter, search, and sort functions, and navigate to the related items.
Page top