Determine the Origin of a Security Incident

Applies To: WatchGuard Advanced Reporting Tool

On the Detailed Information tab, you can see information about the endpoints involved in a security incident. You can filter the information on the tab to determine the origin of a security incident.

Screen shot of Advanced Visualization Tool, ART > Detailed Information

To filter the data table to determine the origin of a security incident:

  1. In the WatchGuard EPDR or WatchGuard EDR web UI, select Status.
  2. From the left pane, select Advanced Visualization Tool.
  3. In the tab that opens, from the left pane, select Advanced Reporting > Security Incidents.
  4. Select the date range for the data you want to see.

  1. Click Refresh.
  2. Select the Detailed Information tab.
  3. Review the list of endpoints in the Endpoints Involved in Incidents tile.
  4. To open the corresponding data table, from the menu , select Go to Query.

Screen shot of Advanced Visualization Tool, ART > Go to query

  1. Above the data table that opens, in the table legend, click oem.panda.paps.alert.

Screen shot of Advanced Visualization Tool, ART > legend bar

  1. In the full data table, to filter the table by machine name, click the down arrow in the machineName column.

Screen shot of Advanced Visualization Tool data table

  1. Select the check box next to a machine name.
    The Operations Over Columns dialog box opens.

Screen shot of Advanced Visualization Tool, Operations Over Columns dialog box

  1. Click Apply.
  2. To filter the alerttype column by malware, repeat steps 8 – 10.
    The table shows the malware name (itemName) and location (itemPath).
  3. Click to add itemname and itempath columns to the data table.
  4. In the toolbar, click Toggle Query Editor.
  5. Clear the existing code and paste this SQL code in the text box:
    from oem.panda.paps.alert
    where alertType = "Malware" or alertType = "PUP"
    or alertType = "Exploit"
    group every 30m by alertType, machineName,itemName, itemPath
    every -
    select count() as count
  6. Click Run.

See Also

Security Incidents Dashboard