Up
Previous Next

Sheriff CSM™

Analyzing Alarms, Events, Logs, and Tickets

You will likely spend the most time reviewing and analyzing the network security of your environment using various options provided in the Sheriff CSM web UI Analysis menu. The Analysis menu provides the following submenu selections:

• Alarms — Shows all the alarms generated in Sheriff CSM. (Any event with a calculated risk value of 1 or greater generates an alarm.) You can also search for alarms using filters.

• Security Events (SIEM) — Displays all events that were processed or generated by the Sheriff CSM Server. You can also search and filter events that appear in the display as well as view details of specific events.

• Tickets — Provides access to Sheriff CSM ticket management system. Tickets provide workflow tracking of activity related to detected alarms or any other issues that you want to keep track of.

The Alarms Page Display

When you select the Analysis > Alarms option, Sheriff CSM displays the following page.

By default, the display opens in List View, which simply lists alarms in reverse chronological order (the latest issued alarm is displayed first). You can also change the display to Group View, which allows you to group alarms by different keys such as alarm name, source and destination IP address, or alarm type.

The middle portion of the screen includes a table that provides a graphical aggregated representation of alarms that occurred in the last 31 days; each column represents a different day. Blue circles indicate the number of times that an alarm in a category appeared. A bigger circle indicates a higher number of alarms were generated. You can mouse over each of the circles to get the actual number of different types of events that occurred as well as a Top 5 list of possible remedies for each alarm type.

Alarms are sorted into five different categories, which are represented by the graphic icons in the display. These are:

• System compromise ()
• Exploitation and installation ()
• Delivery and attack ()
• Reconnaissance and probing ()
• Environmental awareness ()

The categories are also consistent with the sequence or stages of events that an attacker might follow to successfully infiltrate a network, gain unauthorized access to data, or perform some malicious act. The categories are also consistent with a model of attack detailed by Lockheed Martin called the Cyber Kill Chain.

Below the categorized display of alarm icons, Sheriff CSM displays a tabular listing of individual alarms, by default, in reverse chronological order. In addition, if you click on any of the blue circles, Sheriff CSM will display only the alarms corresponding to the selected circle. From the list of alarms, you can click on any individual alarm row to expand the display of information about the alarm. You can then click the View Details button, or click the View Details () icon, to display more information on the selected alarm, including individual events that actually triggered the alarm.

The top section of the Alarms page display lets you search for and filter alarms that are displayed on the Alarms page. You can qualify alarms by event attributes such as sensor location, asset group, risk level, or OTX pulse.

Note: See Alarm Management for more information on the operation of Alarms in Sheriff CSM.

The Security Events (SIEM) Page Display

When you select the Analysis > Security Events (SIEM) menu option, Sheriff CSM displays the following page.

By default, the Security Events (SIEM) page displays a SIEM view of events. The Sheriff CSM web UI also provides two other options for displaying security events:

• Real-Time — view that shows events in progress in your network.

• External Databases — display security events from an external Sheriff database that is associated with a different Sheriff CSM installation. For more information on configuring a connection to an external Sheriff database, see How to display Security Events from an External Sheriff Database.

From the SIEM option view, you can search and filter for events using time ranges and other event attribute criteria.

See Event Management for more information on monitoring analyzing events in Sheriff CSM.

Below the Search Filter section of the page, Sheriff CSM provides a display of all events, or filtered events (if you specified search criteria for events). Any normalized log event, or any other event received or generated by any Sheriff CSM Sensor at the application, system, or network level will appear in the display unless a Sheriff CSM policy has filtered it out or you have specified search filter criteria.

From the tabular summary listing of events, you can click on a specific event row to view further details about that event in a popup window. You can also click the More Details () icon in an event row to display event detail on a new page, which also lets you choose further actions to take with the current event.

The Tickets Page Display

When you select the Analysis > Tickets option, Sheriff CSM displays the following page.

This page provides access to the Sheriff CSM ticket remediation system. Tickets provide workflow tracking of activity related to detected alarms or any other issues that you want to keep track of. By default, the Sheriff CSM web UI displays a list of all tickets. In addition, you can click the Create button to create a new ticket of a specific type or category.

In the Filters section at the top of the Tickets page, you can choose criteria to filter the ticket results. You can choose additional criteria to filter ticket results by clicking the Switch to Advanced option.

From the Ticket summary list, you can click on a specific ticket to open the ticket and display the entire details of the ticket on a new page. From this ticket detail display, you can perform various actions such as editing fields in the ticket, assigning the ticket, adding notes and attachments, and changing the status and priority of a ticket, depending on whatever method or process you want to use to track resolution of issues.