You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>Test (19 Feb 2021, SheriffCyberSecurity)Edit Attach

Examine Alarms and Security Events

In this procedure, we describe the first and most straightforward method of investigating the trigger for a specific alarm.

To get information on events that triggered an alarm
  1. Go to Analysis > Alarms and click the alarm within the Alarms list whose events you want to research.
This could be based on the Alarm intent or some other factor.
  1. Click View Details.
  2. On Alarm Details in the Events list at the bottom of the page, click one of the related events.
The Event Details view displays

This view provides as many details as Sheriff CSM knows about the event, including its risk, reliability and priority.

Depending on the event, the Event Details may include
  • An attack payload description.
  • Rule detection details if a particular correlation rule flagged the event.
  • A concise view of the Raw Log
    1. To see more details, click View More.
    2. Examine information on the event (Review Event Details). For example, find out more about an involved source or destination IP address by clicking the respective IPs in the Source or Destination sections of the page.
    3. If one of your assets was involved with an alarm, get more information by going to Environment > Assets & Groups > Assets ().
    • If the alarm is based on an attack, verify whether or not it really affects your asset.
    • Check the asset operating system and the services running on it. (This check requires you to learn what kinds of endpoints the attack targeted.)

    • When examining assets, give special attention to any issues the vulnerability scan detected. If you see many vulnerabilities in an asset, examine them to determine the severity of each (Viewing the Scan Results).

  1. Examine all reported alarms and events involving this asset to rule out any activity related to the alarm.

Based on the policies you configure, for example, about how Sheriff CSM should handle events from other tools, some events may not be stored in the SIEM database. However, the risk assessment engine still correlates them and asses risk to create alarms.
  1. To locate these and to check for any patterns of questionable asset activity, review the Raw Log.
Edit  | Attach | Print version | History: r6 < r5 < r4 < r3 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r6 - 19 Feb 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.