Event Summary

Click on an event that is listed on the Event Manager display to be able to review or inspect it in further detail in the Event Summary Display.

The Event Summary typically shows the following information:

  • Event Time - The time at which the security event was logged.
  • Action Performed By - The name of the user profile that initiated the action.
  • From workstation - The name of the device from which the action was initiated
  • Action - The name of the Action audit control event that was triggered.
  • Action Performed On - The name of the file or program on which the action was performed.
  • On Workstation - The name of the workstation on which the action was performed.
  • Complete Message - Provides the complete message detail of the event.
  • Audited On - The name of the machine on which the action was audited
  • Controlled by - The name of the security event control under which this event was raised

Assigning the Event to a Reviewer

When the event is first raised it is assigned to the reviewer who has been designated to review the specific type of events. This setting is defined when setting Security Controls. See the Event Manager Configuration Guide for more information.

If there is no reviewer currently defined then you can assign one selecting the Assign to a reviewer option in the Event Manager header bar.

The Change Review dialog is displayed allowing you to select a user to which to assign the event for review. Use the vertical scroll bar to view additional user profiles to which the event can be assigned.

  • Click No Reviewer to leave the event unassigned for review.
  • Click Add New to add a new reviewer profile.

Click OK to save and confirm the reviewer.

Assigning the event to another reviewer

When the event is first raised it is assigned to the reviewer who has been designated to review the specific type of events. This setting is defined when setting Security Controls. See Setting the Default Classification for more information.

To change the reviewer of this event, click Assign to another reviewer in the Event header bar.

Event Review

Options in the Event Review section of the analysis screen allow you to determine whether the event is rated as a security incident and whether or not it is still live.

  • Event was an Incident - Check this box to indicate that this event is classed as a security incident. If classed as an incident, this event appears as an incident count in the Incidents, Threats and Highlights Summary in the Event Manager header bar. See Incidents, Threats and Highlights for more information. Once the event has been identified as an incident, the level of Security risk needs to be determined. Select from Low, Medium or High.
  • Still Under Analysis? - Use this setting to determine whether the event is still open or can be closed as a result of this review.
    • Yes - This event requires further analysis so leaves it open so it can be reviewed.
    • No - The event has been reviewed and no further action is required, so it can be closed. Enter a comment to explain how the event was resolved.

Click Apply Changes to confirm and save the review settings.

Related Events

The Related Events section (available from the Forensic Analysis tab in this display) shows any events that have been linked with this event using the Event Relation functionality.

Event Activity

The Event Activity section of the Event Analysis display is used to display any human and, if required, automatically generated annotations and comments required the event.

  • Show Automatic Annotations - This setting is enabled by default. Any actions that are applied to this event, such as change of a reviewer, for example, are shown in the activity section, providing you with an audit trail of the event history.
Adding a Comment

Use the Comment text box to enter any details that are relevant to the event and to which other reviewers should be made aware. Click Comment to add the comment to the current Event activity.

Related Topics