Event Summary
Click on an event that is listed on the Event Manager display to be able to review or inspect it in further detail in the Event Summary Display.
The Event Summary typically shows the following information. This is dependent on what has been configured for each asset:
- Complete Message: Full message raised by the security event
- Security ID: The unique security ID reference number
- Account Name: Name of the account on which the event was raised
- Account Domain: The name of the system on which the event was recorded
- Logon ID: The unique logon ID used for the event
- Audit Policy Change: Any change made to audit policy
- Category: The Security Category that the event is logged under
- Subcategory: The subcategory of the security event
- Subcategory GUID: The subcategory globally unique identifier of the event
- Changes: Types of change recorded by this event
- User: The name of the user profile that initiated the action
- Domain: The name of the system on which the event was recorded
- Event Time The time at which the security event was logged.
- Audited On - The name of the machine on which the action was audited
- Security Criticality: The criticality level of the device on which the security event was actioned
- Regulations: If applicable, the names of the security regulations that this event is logged against
- Security Responsible: The name of person who is responsible for the security of this asset
- Controlled by - The name of the security event control under which this event was raised
Assigning the Event to a Reviewer
When the event is first raised it is assigned to the reviewer who has been designated to review the specific type of events. This setting is defined when setting Security Controls. See the Powertech Event Manager Configuration Guide for more information.
If there is no reviewer currently defined then you can assign one selecting the Assign to a reviewer option in the Event Manager header bar.
The Change Review dialog is displayed allowing you to select a user to which to assign the event for review. Use the vertical scroll bar to view additional user profiles to which the event can be assigned.
- Click No Reviewer to leave the event unassigned for review.
- Click Add New to add a new reviewer profile.
Click OK to save and confirm the reviewer.
Assigning the event to another reviewer
When the event is first raised it is assigned to the reviewer who has been designated to review the specific type of events. This setting is defined when setting Security Controls. See Setting the Default Classification for more information.
To change the reviewer of this event, click Assign to another reviewer in the Event header bar.
Event Review
Options in the Event Review section of the analysis screen allow you to determine whether the event is rated as a security incident and whether or not it is still live.
- Event was an Incident - Check this box to indicate that this event is classed as a security incident. If classed as an incident, this event appears as an incident count in the Incidents, Threats and Highlights Summary in the Event Manager header bar. Once the event has been identified as an incident, the level of Security risk needs to be determined. Select from Low, Medium or High.
- Still Under Analysis? - Use this setting to determine whether the event is still open or can be closed as a result of this review.
- Yes - This event requires further analysis so leaves it open so it can be reviewed.
- No - The event has been reviewed and no further action is required, so it can be closed. Enter a comment to explain how the event was resolved.
Click Apply Changes to confirm and save the review settings.
Related Events
The Related Events section (available from the Forensic Analysis tab in this display) shows any events that have been linked with this event using the Event Relation functionality.
Event Activity
The Event Activity section of the Event Analysis display is used to display any human and, if required, automatically generated annotations and comments required the event.
- Show Automatic Annotations - This setting is enabled by default. Any actions that are applied to this event, such as change of a reviewer, for example, are shown in the activity section, providing you with an audit trail of the event history.
Adding a Comment
Use the Comment text box to enter any details that are relevant to the event and to which other reviewers should be made aware. Click Comment to add the comment to the current Event activity.