Determine the Origin of a Security Incident
Applies To: WatchGuard Advanced Reporting Tool
On the Detailed Information tab, you can review information about the endpoints involved in a security incident. You can filter the information in the Alert data table to determine the origin of a security incident.
To determine the origin of a security incident, from the WatchGuard Endpoint Security management UI:
- Select Status.
- Select Advanced Visualization Tool.
- In the tab that opens, from the left pane, select Advanced Reporting > Security Incidents.
- Select the date range for the data you want to see.
- Click Refresh.
- Select the Detailed Information tab.
- Above the Incidents on All Endpoints table, click the menu , and select Go to Query.
- To view the full data table, in the table legend, click oem.panda.paps.alert.
For information on the fields available in the Alert table, go to Fields Available in the Alert Table.
- To filter the table by machine name, click the down arrow in the machineName column.
- Select the check box next to a machine name.
The Operations Over Columns dialog box opens.
- Click Apply.
- To filter the alerttype column by malware, repeat steps 9 – 11.
The table shows the malware name (itemName) and location (itemPath). - Click to add itemname and itempath columns to the data table.
- In the toolbar, click Toggle Query Editor.
- Clear the existing code and paste this SQL code in the text box:
from oem.panda.paps.alert
where alertType = "Malware" or alertType = "PUP"
or alertType = "Exploit"
group every 30m by alertType, machineName,itemName, itemPath
every -
select count() as count - Click Run.
Fields Available in the Alert Table
The Alert table shows the incidents that display in the Activity tile on the WatchGuard Endpoint Security dashboard (Advanced EPDR, EPDR, or EDR). It contains a line for each threat detected on the customer network with information on the computer involved, type of incident, timestamp, and result.
Each field can be used in a query to filter the data table.
Field | Description | Values |
---|---|---|
eventdate |
Date when the event was received on the Advanced Reporting Tool server. |
Date |
machineIP |
IP address of the customer computer that triggered the alert. |
IP address |
date |
Date on the user computer when the event was generated. |
Date |
alertType |
Category of the threat that triggered the alert. |
Malware PUP |
machineName |
Name of the customer computer. |
String |
executionStatus |
The threat was run or not. |
Executed Not Executed |
dwellTimeSecs |
Time in seconds from the first time the threat was seen on the customer network. |
Seconds |
itemHash |
Hash of the detected threat. |
String |
itemName |
Name of the detected threat. |
String |
itenPath |
Full path of the file that contains the threat. |
String |
sourceIP |
If the malware came from outside the customer network, this indicates the IP address of the remote computer |
IP address |
sourceMachineName |
If the malware came from outside the customer network, this indicates the name of the remote computer. |
String |
sourceUserName |
If the malware came from outside the customer network, this indicates the user of the remote computer. |
String |
urlList |
List of accessed URLs if a browser exploit is detected. |
String |
docList |
List of accessed documents if a file exploit is detected. |
String |
version |
Content of the Version attribute of the process metadata. |
String |
vulnerable |
Indicates if the application is considered vulnerable or not. |
Boolean |