Event Classification
Within the Real-Time and the Historical report screens, users can classify events to take a variety of actions or change event views. The Classify menu is accessed by right clicking a row and selecting "Classify" or by clicking on the icon shown below.
Contents
Classifications List
The Classifications List can be accessed by clicking on Rules -> Classifications from the top menu. The Classification List displays all of the classifications for the selected domain, organized by the Classification Action. The Options Strip at the top of the list contains the following options:
- "Upload Classifications" Button
- Click this button to open the classification uploader. Classifications must be in JSON format and contain all required information for the classification. This is useful if the user needs to quickly copy classifications in bulk from one domain to another.
- "New Classifications" Button
- Click this button to open the classification editor to create a new classification.
- Domain List Dropdown
- Use this menu to switch between the classifications in the domains.
- Classification Action Buttons
- Click these buttons to view Classifications with the same Classification Action.
- Search Field
- Type a value into the Search field to find classifications that match your query. The search will match against values in the classification name, category, addresses, and events fields.
The Classifications List is below the Options Strip. This list displays classifications for the selected domain and action. Each row shows all of the information from each matching classification. When the checkbox to the left of any row is checked, a panel will appear with buttons to delete or download the selected classifications. Multiple classifications can be selected at one time by clicking on the checkbox for a classification, holding the Shift key on the keyboard, and then clicking the checkbox for any other classification in the list.
When classifications are deleted, the classifications are moved to the "Trashed" action. These classifications are never used anywhere else, and are automatically deleted after thirty days. A classification can be restored by checking the checkbox next to the classification and clicking the "Restore Selected" button from the options panel that appears.
Creating a Classification
There are two ways to create a classification:
- Right-click on any record in Historical or Real-Time to open the context menu. Click the "Highlight" option, or
- From the Classifications page, click the "+" button.
When creating a new classification from Real-Time or Historical records, the "Add Classification" page will auto-populate fields based on the selected event.
Classification Name
This defines the name of the classification. This is required.
Classification Domain
This is the domain in which the classification will be created. The classification will be applicable to data from all sensors in the selected domain. This is required.
Classification Category
This indicates a category name. The category name will appear as a menu in the browser if the classification action is "Highlight". This is required.
Classification Action
When an event matches the classification, this is the action that will be performed. There are seven action types:
- Highlight
- This highlights the matching records in the Real-Time, Historical, and Reports with the selected color. These classifications can be selected from the menu strip at the top of the Real-Time and Historical pages to filter records for events that matched the classification.
- Block
- This triggers the Soft IPS for matching records, causing connections matching the classification to be blocked.
- This E-mails matching records as a PDF report to the specified address every ten minutes, or as frequently as possible, if the Real-Time interface is kept open. Separate multiple e-mail addresses by using a semi-colon. NOTE: The classification e-mails will be sent immediately if the Real-Time page is open, or within ten minutes if it is not. If the user wants to receive e-mail as soon as an event matches the classification, enable Real Time E-mail Alerts. See Real Time E-mail Alerts for more.
- Ignore
- This ignores events that match the classification and this causes the sensor to discard those events. These events will not be displayed in either the Real-Time or Historical interfaces.
- Delete
- This deletes matching records from the browser to free up memory. There are a number of default Delete classifications that reduce browser memory utilization. A user can add their Delete classifications to further optimize this function according to the needs of a specific environment. This action does not apply to records in the Historical page.
- Rank
- This increases the priority/rank of records matching the Rank classification.
- Disabled
- This allows a user to disable a classification without deleting it.
Comparison Types
When a classification is created, the user defines values to match in the metadata for events (the available fields are listed below). The possible comparison types are listed below; which comparison types are available depends on the field.
- Any
- This is the default comparison type. Any value is matched / field is ignored.
- <, <=, >, >=, ==, !=
- Numeric comparisons operations..
- Regex
- Compare the field data against the provided regular expression. All regexes are case-insensitive.
- Not Empty
- The field has any non-empty value.
- Empty
- The field has no value.
Detail Fields
Events
- IDS Alerts
- Match against the triggered IDS events in the record, if any.
- Services
- Match against services the event was using, if any.
- Log Messages
- Match against log messages in the record, if any.
Addresses and Ports
- Server/Client IP Addresses
- Match IPv4 or IPv6 addresses in server or client IP address fields. Example: 192.168.1.0/24
- Server/Client Ports
- Match against server or client port fields. All values must be numeric. You can provide multiple ports, separated by commas. You can also provide a range of ports. Example: 80,443,1024-2048
Originating Sensor
Limit the classification to records where the Sensor field matches the expression.
Metrics
- Age (in seconds)
- Match records that are greater or lesser than the specified age (in seconds).
- Rank
- Match records that have a specific rank/priority value.
- Bytes
- Match records that are larger or smaller than a specific size in bytes.
- Packets
- Match records that have more or less than the specified number of packets.
Viewing Classes
A demonstration of a classification based on server ports 80, 53 and greater than 1024 are displayed in Figure 4.
Selecting the Views icon to the left will display the classification list shown in Figure 5.
Selecting the individual class names will create a frame that contains the records strictly matching that class. Selecting "All" will bring you back the colorized summary. Selecting the "Edit" icon will allow you to edit your classification. If the classification is not new, by clicking on the "Save" icon the original classification is modified. Selecting the "Save As" icon will add a new classification. It is therefore possible to edit existing classifications, as well as derive new ones, from those already existing without starting from scratch every time.
Class Access and Legends
Once different classifications with an action of "Classify" are defined, they can be accessed via a drop down menu below the main menu. Each classification category is displayed. Hovering over each category displays the available classes within that category with a color corresponding to the color that the user selects. (A category called "protos" and three classifications within that category are shown in Figure 6). Selecting an individual class will change the current view to show only those records that match the classification. Selecting "All" will switch back the display to showing all classes.
Previous Chapter | Next Chapter |