Filtering objects on the network interactions map

Expand all | Collapse all

To limit the number of nodes and links displayed on the network interactions map, use the following functions:

• Functions for complex filtering of nodes and links:
  • Filtering using a period on the time scale

    To filter nodes and links, you can choose the relevant period of time on the time scale. The time scale is displayed in the lower part of the Network interactions map tab of the Network map section.

    The time scale contains the following items:

    • Time scale start date and time.
    • Periods when events with scores of 4.0 and above were registered. These periods are displayed as red strips in the lower part of the time scale. The periods are not displayed if a duration of more than seven days is defined for the time scale.
    • Filtering period. This period is displayed as a yellow band lined with buttons for moving the boundaries.
    • Chart of the volume of traffic processed by the application. The chart is not displayed if a duration of more than seven days is defined for the time scale.
    • End of the time scale. Depending on the arrangement of the filtering period, the end of the time scale is displayed as a date and time (if the date and time are defined) or as a Now link.

    The following types of filtering periods are provided:

    • Period correlated to the current moment. The right-side boundary of this period corresponds to the time scale boundary designating the current moment in time.
    • Period not correlated to the current moment. This type of period may be arranged in any part of the time scale.

    To configure object filtering by a period correlated to the current moment:

    1. Click the Now button on the right of the time scale. This button is not displayed if the period is already correlated to the current moment.
    2. If it is necessary to specify a different period duration, perform one of the following actions:
       • Move the left border of the yellow band of the period to the necessary position (the maximum duration of the period is 7 days).
       • Open the configuration window by using the button above the yellow band of the period, select the Anchor to boundary check box, select the necessary duration (Hour, Day, 7 days), and click OK.

    The network interactions map shows only the nodes and links for which communications were detected since the beginning of the specified period up to the current moment.

    To configure filtering by a period not correlated to the current moment:

    1. If the necessary period is not within the time scale, change the values of the date and time for the start and/or end of the time scale:
       1. To change the data and time of the start of the time scale, open the window by clicking the link in the left part of the time scale and select one of the following options:
          • Day
          • 7 days
          • 30 days
          • Specify a date. For this option, specify a date and time in the opened field.
       2. To change the date and time of the end of the time scale, open the window by clicking the link in the right part of the time scale and select one of the following options:
          • Now
          • Specify a date. For this option, specify a date and time in the opened field.
    2. Specify the necessary period. To do so, do one of the following:
       • Use the mouse to move the period to the relevant place on the time scale.
       • Move one or both of the borders of the yellow band of the period to the necessary part of the time scale (the maximum duration of the period is 7 days).
       • Open the configuration window by using the button above the yellow band of the period, select the necessary duration (Hour, Day, 7 days), and click OK.
    3. If a period is automatically anchored to the current moment (when you move the period to the right-most position, the Now button on the right of the time scale is no longer displayed), disable automatic anchoring of the period to the time scale boundary. To do so, open the configuration window by using the button above the yellow band of the period, clear the Anchor to boundary check box, and click OK.
  • Filtering by registered events

    You can configure the network interactions map to show the nodes and links whose information is saved in the events associated with the selected nodes.

    The capability to filter by events is available if no more than 200 nodes are selected on the network interactions map. You can select the relevant nodes individually or as part of collapsed groups that include the relevant devices. When a collapsed group is selected, all devices in the child groups of any nesting level are also included in the device selection.

    You can use the following methods to filter by event:

    • Initial filtering by event. This method is applied if you need to filter objects based on events associated only with the selected nodes.
    • Additional filtering by event. This method is applied if initial filtering by events is already performed (for example, when switching to the network interactions map from the events table) and you need also to filter events associated with additionally selected nodes from the list of nodes displayed on the network interactions map.

    To display nodes and links using initial filtering by event:

    1. On the network interactions map, select one or multiple objects corresponding to nodes and/or collapsed groups.

       To select multiple nodes and/or groups, do one of the following:

       • Hold down the SHIFT key and use your mouse to select a rectangular area containing the relevant objects.
       • Hold down the CTRL key and use your mouse to select the relevant objects.

       The details area appears in the right part of the web interface window. The details area shows the total number of selected nodes and groups while also showing the quantitative distribution of selected objects by type.

    2. If the selected objects belong to different types or categories of devices, you can exclude certain types of objects (for example, nodes of devices that are unknown to the application) or categories (for example, PLC). To do so, clear the check box next to the name of the category or type.
    3. Click the Filter by events button.

    The network interactions map displays only the nodes and links whose information is contained in the events associated with the selected nodes. The toolbar located above the network interactions map displays a list containing the IDs of events (IDs are listed in the order in which their associated events were detected).

    To add nodes and links to the displayed objects by using additional filtering by event:

    1. Make sure that initial filtering by event has been performed. To do so, check for the availability of a list containing event IDs on the toolbar located above the network interactions map.
    2. Among the nodes displayed on the network interactions map, select the nodes for which you want to add associated events to the filter.

       The details area appears in the right part of the web interface window.

    3. Click the Add filtering for events button.

    The network interactions map also displays the nodes and links whose information is contained in the events associated with the selected nodes. The IDs of detected events are added to the list containing IDs in the toolbar.

• Functions for filtering nodes:
  • Filtering by device status
    1. On the toolbar located above the network interactions map, open the Device statuses drop-down list.

       You will see a list containing the names of statuses for devices that are known to the application (Unauthorized, Authorized, Archived), and the Unknown device status for devices that are unknown to the application.

    2. In the drop-down list, select the check boxes for the statuses of devices that need to be displayed on the network interactions map.
    3. Click OK.

    The network interactions map displays only the nodes corresponding to devices with the selected statuses.

  • Filtering by device security state
    1. On the toolbar located above the network interactions map, open the Device states drop-down list.

       You will see a list containing the names of security states for devices (OK, Warning, Critical).

    2. In the drop-down list, select the check boxes for the security states of nodes that need to be displayed on the network interactions map.
    3. Click OK.

    The network interactions map displays only the nodes corresponding to devices with the selected security states.

  • Filtering by device category
    1. On the toolbar located above the network interactions map, open the Device categories drop-down list.

       You will see a list containing the names of categories for known devices, as well as individual categories for unknown devices and WAN nodes.

    2. In the drop-down list, select the check boxes for the categories of devices that need to be displayed on the network interactions map.
    3. Click OK.

    The network interactions map displays only the nodes corresponding to devices with the selected categories.

  • Enabling and disabling the display of nodes associated with filtered nodes

    After filtering nodes, the network interactions map displays only the nodes that satisfy the defined filter settings. In addition, for a node to be displayed on the network interactions map, it must have a connection (link) with another displayed node. If, according to the specified filtering parameters, the network interactions map does not display any node with which a node has interacted, this node is also not displayed on the network interactions map. Filtering is applied similarly for nodes that are part of a consolidated node of unknown devices: if the network map does not display all nodes with which a node of an unknown device has interacted, this node is removed from the list of nodes within the consolidated node of unknown devices.

    If necessary, you can enable the network interactions map to display all nodes associated with filtered nodes. Together with the nodes that satisfy the defined node filtering criteria, the network interactions map also displays all nodes with which these nodes have interactions (irrespective of the defined filter settings).

    For example, if the nodes are filtered by the PLC category and you enabled the display of linked nodes, the network interactions map will display all nodes that have communicated with PLC category devices. If the display of linked nodes is disabled, the network interactions map will display nodes corresponding only to those PLC category devices that have communicated with each other.

    To enable or disable the display of nodes associated with filtered nodes:

    Use the Linked devices toggle button on the toolbar located above the network interactions map.

• Functions for filtering links:
  • Filtering by link severity scores
    1. On the toolbar located above the network interactions map, open the Scores of links drop-down list.

       A list is displayed that contains the names of event severity levels with their score ranges (Low (0.0 - 3.9), Medium (4.0 - 7.9), High (8.0 - 10.0)), as well as the No events element, which allows you to filter the connections for which no events are registered.

    2. In the drop-down list, select the check boxes for those severity levels by which you want to filter links.
    3. Click OK.

    The network interactions map displays only the links associated with events that have the selected severity levels.

  • Filtering by communication protocols
    1. On the toolbar located above the network interactions map, open the Protocol drop-down list.

       You will see a window containing the table of supported protocols displayed as a protocol stack tree. You can manage how tree elements are displayed by using the + and - buttons next to the names of protocols that contain protocols of subsequent layers.

       The table columns provide the following information:

       • Protocol – name of the protocol within the protocol stack tree.
       • EtherType – number of the next-level protocol within the Ethernet protocol (if the protocol has a defined number). It is displayed in decimal format.
       • IP number – number of the next-level protocol within the IP protocol (if the protocol has a defined number). It is indicated only for protocols within the IP protocol structure. It is displayed in decimal format.
    2. If necessary, use the search field above the table to find relevant protocols.
    3. In the list of protocols, select the check boxes opposite the protocols by which you want to filter events.

       If you select or clear the check box for a protocol that contains nested protocols, the check boxes for the nested protocols are also automatically selected or cleared.

    4. Click OK.

    The network interactions map displays only the links for which the selected protocols are used.

  • Filtering based on the OSI model layers

    You can filter links based on the levels of communications corresponding to the layers of the OSI (Open Systems Interconnection) model for the network protocol stack.

    To filter links on the network interactions map based on the layers of the OSI network model:

    1. On the toolbar located above the network interactions map, open the OSI model layers drop-down list.

       You will see a list containing the names of OSI model layers:

       • Data Link. This layer includes the communication links in which MAC addresses were used to communicate with devices.
       • Network. This layer includes links in which IP addresses were used to communicate with devices.
    2. In the drop-down list, select the check boxes for the OSI model layers whose links need to be displayed on the network interactions map.
    3. Click OK.

    The interaction network map displays only the links that are associated with the selected OSI model layer.

• Resetting the filter settings

  You can reset the defined settings for filtering nodes and links to their default state.

  To reset the defined filter settings on the network interactions map:

  On the toolbar located above the network interactions map, click the Default filter button (this button is displayed if filter settings are defined).

  The network interactions map will display all nodes and links for which communications within the specified period were detected.