Forensic Analysis Overview

Use the following displays and options to navigate through the Forensic Analysis Overview display.

The Forensic Analysis Overview menu bar

The Forensic Analysis Overview contains a menu bar that provides access to configuration options and common functionality found within Event Manager.

Display Selection

Use the down arrow to select another display from:

• Forensic Analysis Timeline

• Event Manager Overview

• Event Manager Timeline

Review Filtered Events

Click Review Filtered Events to open Forensic Analysis in Timeline view, filtered to the active filters that are currently applied to the Overview.

View

Click the View icon to be able to select from a series of pre-defined Standard and User created views.

Incidents, Threats, and Highlights Summary Totals

In the Event Manager menu bar, a summary of all the open incidents, threats and highlighted events is shown. This gives a quick, at-a-glance view of what is currently posing a security risk against your business assets.

The summary counts are taken from the events for each audit control against which an event has been logged.

Configuration

Click the Configuration icon top open the Event Manager configuration options. These options are detailed in the Powertech Event Manager Configuration Guide.

Applications

Click the Applications icon to display a drop-down menu displaying other Fortra applications such as Vityl IT & Business Monitoring and Insite. Click on an application to go to the selected option.

User Settings

Click the User Settings icon to display a drop-down menu showing the name of the current user logged into this session. Also available from this display are the individual settings for this user and the option to sign out of the current session.

Helpsystems

Click the Helpsystems logo to go directly to the Event Manager options display.

Time Range

Use the drop-down menu to select a new time period over which security event data is displayed.

Assets

By default, All Assets are selected. Click Assets to open a drop-down menu to display a list of Assets that match the current filter. Selected Assets are identified by a . Use the Search criteria to filter the list of Assets to those required. Once selected, click OK. The name of the selection is displayed beneath Assets and the graphical display updates to show the events for just the Assets selected.

Operator

By default, All Operators are selected. Click Operators to open a drop-down menu to display a list of Operators that match the current filter. Selected Operators are identified by . Click Clear to remove the selection from all of the listed Operators. Individual Operators can then be selected by clicking next to the name. Multiple Operators can be selected simultaneously. Once the selections have been made click OK. The name of the first Operator selected is displayed beneath Operator and the graphical display updates to show the events for just the Operators selected. Click Select All to reselect all Operators.

Platform

By default, All Platforms are selected. Click Platforms to open a drop-down menu to display a list of Platforms that match the current filter. Selected Platforms are identified by . Click Clear to remove the selection from all of the listed Platforms. Individual Platforms can then be selected by clicking next to the name. Multiple Platforms can be selected simultaneously. Once selected click OK. The name of the first Platform selected is displayed beneath Platform and the graphical display updates to show the events for just the Platforms selected. Click Select All to reselect all Platforms.

Action

By default, All Actions are selected. Click Actions to open a drop-down menu to display a list of Actions that match the current filter. Selected Operators are identified by . Click Clear to remove the selection from all of the listed Actions. Individual Actions can then be selected by clicking next to the name. Multiple Actions can be selected simultaneously. Once selected click OK. The name of the first Action selected is displayed beneath Action and the graphical display updates to show the events for just the Actions selected. Click Select All to reselect all Actions.

Display Database Stored Events

Enable this option to display only those events that have actually been stored in the database. By default, Forensic Analysis displays the total number of events including repetitions of summarized events.

Compare With Previous Period

Enable this option to display an additional line on the graphical panels showing the comparative data for the corresponding previous time period. This setting is off by default.

Display Common Events

Common events are the everyday security events that are processed through the system without necessarily posing a security risk. These events can make viewing the important detail difficult. By default, the Forensic Analysis view includes these common events. Toggle this switch to remove the common events from the display.

Auto-refresh

Use the slider control to turn Auto-refresh on and off. When auto-refresh is enabled, the screen is automatically updated with new events at the set frequency. The default setting is 300 seconds. To change the frequency, click the Frequency icon and enter a new time interval in seconds. The minimum value is 120 seconds.

Refresh

If Auto-refresh is not enabled, use the Refresh button to update the Event Manager display with any security information that has been generated since the Event Manager option was reopened. Should a new event occur before the screen has been refreshed, a red dot appears above this icon to indicate that a new event has occurred and will be displayed on the next refresh.

Reset Filters

Use the Reset Filters button to cancel any filter settings currently applied to the display and show all of the unfiltered events.

Graphical Summary

The Forensic Analysis Overview contains a graphical summary of the Security events as controlled by the current filter settings.

The display is comprised of five panels showing the following information over the selected time range:

• Events: Displays a graphical line chart showing the audit trail of security events raised by the monitored systems in your enterprise.

• Actions: Displays a horizontal bar chart showing the top actions that raised the most security events.

• Operators: Displays the user names of the top user profiles that raised the most security events.

• Platforms: Displays the top operating systems in your enterprise that generated the most security events.

• Assets: Displays the top assets in your enterprise that generated the most security events.

For each panel in this display, the following security event information is available:

• Highlights: A highlight is a security event not deemed severe enough to be considered a threat or incident but warrants further manual investigation.

• Threats: A threat is an event deemed serious enough to put your business at risk and should be investigated as a matter of urgency.

• Incidents: An incident means that security has been breached. This is the highest level of event possible.

Accessing information in the display

From within each of the panels on the Forensic Analysis display it is possible to get a breakdown of the security events .

The top of the graphical displays the same Incidents, Threats and Highlights counts as those in the menu bar. However, clicking on any of these options here, filters the graphical display to just the selection.

For example, clicking on the Threats count value amends the graphical display as follows:

Events panel

The Events panel displays the audit trail of security events raised by the monitored systems in your enterprise, over the selected time range.

Hover the mouse pointer above any of the time points on the grid to display an instant snapshot of the number of Incidents, threats and highlights.

Hover over either of the left or right vertical 'time' sliders to be able to zoom the display to a different date / time combination. This allows you to reposition the this panel into a specific week date or time depending on the time range setting, to drill-down into specific detail. The entry in the Time Range menu bar changes according to reflect the newly displayed event data. Once the zoom option has been used, an arrow appears to the side of both sliders . Click either arrow to return the Events panel display to the setting prior to the slider use.

Actions, Operators, Platforms, and Assets panels

These panels display the top actions, operators, platforms and assets that raised the most security events over the selected time range.

Hover the mouse pointer over any shaded area on these panels to the exact number of common, highlights and threats for the displayed actions, operators, platforms or assets.

Click on a shaded area to filter this, and all the other panels on this display, by the chosen selection.

Once the investigation is complete, click the small Reset Filter icon next to the panel name to reset the display or alternatively use the Reset Filter option from the menu bar.

Screen shot

If, at any time you want to take a screen shot of the current Overview display, click the Camera icon in the bottom right-hand corner of the display. You are then prompted whether to open or save the captured .png image.