To access the Policy Violations page:
- Log in to LogRhythm NDR's new UI.
- Click Hunt from the sidebar menu and then click Policy Violations.
The Policy Violations page appears displaying the total number of violations which are further classified as Critical, High, Medium, and Low.
The incidents are generally categorized based on Severity, Certainty, and Score. By default, the incidents are summarized based on severity.
- To change the category, click the drop-down menu available next to the Dialog Box/Side Panel toggle button and select the required category.
- Click on a particular entry to open a drop-down table that contains further details.
Details such as Occurred On, Score, Certainty, Severity, Case ID, Entry Origin, Entry Type, Trigger, Src, and Dest. are listed in the table.
Click the column headers in the table to sort the table entries in ascending/descending order.
- To group the entries, drag and drop the column entries to a designated space.
- To add or remove column headers, click the Show Columns icon.
To export the case details, click the Export icon.
- To show/hide column grouping space, click the Show/Hide Column Group icon.
- To show/hide column filters, click the Show/Hide Column Filters icon.
- To filter from the list of available policy violations, use the Anomaly and Score sliders.
The Anomaly slider filters policy violations based on severity.
The Score slider filters entries based on score.
- To open a particular policy violation without detailed summary, set the Dialog Box/Side Panel toggle button to Off.
- To get detailed summary of a policy violation, set the Dialog Box/Side Panel toggle button to On.
More Details Window
- To get a more detailed summary, click the three-dot menu option available at the bottom of the Summary panel.
The More Details... page appears displaying details such as summary, recommendation, details, source, and destination.
The Entry Origin table is displayed which maps the rule and the time period in which that policy violation was created.
Below the Entry Origin table, the Highlighted Events and All Events tab are available.
- Click the Bookmark icon to bookmark the selected entry.
- Click Investigate at the top right of the page to further investigate a particular policy violation.
- To select one of the following actions, click the three-dot menu icon:
- Email Alert
- Run Firewall SmartResponse
- Close Incident
- Open Case
- Mark for Investigation
- To further filter the events, use the Anomaly and Threat Severity sliders available in the Highlighted Events tab.
The highlighted users chart is displayed below the sliders where the policy violation events and types are mapped to their respective dates.
The highlighted users table is presented with information such as Occurred on, Info., Activity , Category, and Attribute.
- Click the column headers in the table to sort the table entries in the ascending or descending order.
To export the table details, click the Export icon.
To filter the entries, click the Show/Hide Column Filters icon and select your filter parameters.
In the Info column of the table, the Alert Event option is available to the user.
- Click the Alert Event drop-down option, corresponding to a particular entry to choose one of the following:
- Whitelist - To whitelist an entry.
- Payload - To view payload as Text and Hex.
- Make Main Event - To make the entry a main event.
- Auto Main Event - To revert back to the original main event.
- Rapid 7
- Click the corresponding links provided in the table, for further information on the topics.
- To view the event details, click anywhere on the row.
There are 3 tabs available in the event page: Details tab, Raw Data (JSON) tab, and Related Logs tab.
- To view the source and destination IP addresses, click the Details tab.
- To view the raw data in JSON format, click the Raw Data (JSON) tab.
- To see all the related logs, click the Related Logs tab.
The Activity timeline for this particular policy violation is displayed at the end of the More Details window.