To access the Incidents page:
- Log in to LogRhythm NDR's new UI.
- Click Hunt from the sidebar menu and then click Incidents.
The Incidents page appears displaying the total number of incidents which are further classified as Critical, High, Medium, and Low.
The incidents are generally categorized based on Severity, Certainty, and Score. By default, the incidents are summarized based on severity.
- To change the category, click the drop-down menu available next to the Dialog Box/Side Panel toggle button and select the required category.
- To select the time range for which you need the incident data, click the Date Range/Time picker drop-down menu option available next to the Search field at the top-right of the page.
- Click Apply.
The incidents corresponding to the selected time range are displayed.
- Click on a particular incident to open a drop-down table that contains further details regarding the incident.
Details such as Occurred On, Score, Certainty, Severity, Case ID, Entry Origin, Entry Type, Trigger, Src, and Dest. are listed in the table.
Click the column headers in the table to sort the table entries in ascending/descending order.
- To group the entries, drag and drop the column entries to a designated space.
- To add or remove column headers, click the Show Columns icon.
To export the incident details, click the Export icon.
- To show/hide column grouping space, click the Show/Hide Column Group icon.
- To show/hide column filters, click the Show/Hide Column Filters icon.
- To filter from the list of available incidents, use the Anomaly and Score sliders.
The Anomaly slider filters incidents based on severity.
The Score slider filters entries based on score.
- To open a particular incident without detailed summary, set the Dialog Box/Side Panel toggle button to Off.
- To get detailed summary of an incident, set the Dialog Box/Side Panel toggle button to On.
More Details Window
- To get a more detailed summary, click the three-dot menu option available at the bottom of the Summary panel.
The More Details... page appears displaying details such as summary, recommendation, details, source, and destination.
The Entry Origin table is displayed which maps the rule and the time period in which that incident was created.
Below the Entry Origin table, the Highlighted Events and All Events tab are available.
- Click the Bookmark icon to bookmark the selected incident.
- Click the Investigate button at the top right of the page to further investigate a particular incident.
- To select one of the following actions, click the three-dot menu icon:
- Email Alert
- Run Firewall SmartResponse
- Close Incident
- Open Case
- Mark for Investigation
- To further filter the incidents, use the Anomaly and Threat Severity sliders available in the Highlighted Events tab.
The highlighted users chart is displayed below the sliders where the incident events and types are mapped to their respective dates.
The highlighted users table is presented with information such as Occurred on, Info., Activity , Category, and Attribute.
- Click the column headers in the table to sort the table entries in the ascending or descending order.
To export the table details, click the Export icon.
To filter the entries, click the Show/Hide Column filters and select your filter parameters.
In the Info column of the table, the Alert Event option is available to the user.
- Click the Alert Event drop-down option, corresponding to a particular incident, to choose one of the following:
- Whitelist - To whitelist an entry.
- Payload - To view payload as Text and Hex.
- Make Main Event - To make the entry a main event.
- Auto Main Event - To revert back to the original main event.
- Rapid 7
- Click the corresponding links provided in the table, for further information on the topics.
- To view the event details, click anywhere on the row.
There are 3 tabs available in the event page: Details tab, Raw Data (JSON) tab, and Related Logs tab.
- To view the source and destination IP addresses, click the Details tab.
- To view the raw data in JSON format, click the Raw Data (JSON) tab.
- To see all the related logs, click the Related Logs tab.
The Activity timeline for this particular incident is displayed at the end of the More Details window.