Determine the Origin of a Security Incident

Applies To: WatchGuard Advanced Reporting Tool

On the Detailed Information tab, you can review information about the endpoints involved in a security incident. You can filter the information in the Alert data table to determine the origin of a security incident.

Screen shot of Advanced Visualization Tool, ART > Detailed Information

To determine the origin of a security incident, from the WatchGuard Endpoint Security management UI:

  1. Select Status.
  2. Select Advanced Visualization Tool.
  3. In the tab that opens, from the left pane, select Advanced Reporting > Security Incidents.
  4. Select the date range for the data you want to see.

Screen shot of Advanced Visualization Tool date selector

  1. Click Refresh.
  2. Select the Detailed Information tab.
  3. Above the Incidents on All Endpoints table, click the menu , and select Go to Query.

Screen shot of Advanced Visualization Tool, ART > Go to query

  1. To view the full data table, in the table legend, click oem.panda.paps.alert.
    For information on the fields available in the Alert table, go to Fields Available in the Alert Table.

  1. To filter the table by machine name, click the Down arrow icon down arrow in the machineName column.

Screen shot of Advanced Visualization Tool data table

  1. Select the check box next to a machine name.
    The Operations Over Columns dialog box opens.

Screen shot of Advanced Visualization Tool, Operations Over Columns dialog box

  1. Click Apply.
  2. To filter the alerttype column by malware, repeat steps 9 – 11.
    The table shows the malware name (itemName) and location (itemPath).
  3. Click Add column icon to add itemname and itempath columns to the data table.
  4. In the toolbar, click Query editor icon Toggle Query Editor.
  5. Clear the existing code and paste this SQL code in the text box:
    from oem.panda.paps.alert
    where alertType = "Malware" or alertType = "PUP"
    or alertType = "Exploit"
    group every 30m by alertType, machineName,itemName, itemPath
    every -
    select count() as count
  6. Click Run.

Fields Available in the Alert Table

The Alert table shows the incidents that display in the Activity tile on the WatchGuard Endpoint Security dashboard (Advanced EPDR, EPDR, or EDR). It contains a line for each threat detected on the customer network with information on the computer involved, type of incident, timestamp, and result.

Each field can be used in a query to filter the data table.

Field Description Values

eventdate

Date when the event was received on the Advanced Reporting Tool server.

Date

machineIP

IP address of the customer computer that triggered the alert.

IP address

date

Date on the user computer when the event was generated.

Date

alertType

Category of the threat that triggered the alert.

Malware

PUP

machineName

Name of the customer computer.

String

executionStatus

The threat was run or not.

Executed

Not Executed

dwellTimeSecs

Time in seconds from the first time the threat was seen on the customer network.

Seconds

itemHash

Hash of the detected threat.

String

itemName

Name of the detected threat.

String

itenPath

Full path of the file that contains the threat.

String

sourceIP

If the malware came from outside the customer network, this indicates the IP address of the remote computer

IP address

sourceMachineName

If the malware came from outside the customer network, this indicates the name of the remote computer.

String

sourceUserName

If the malware came from outside the customer network, this indicates the user of the remote computer.

String

urlList

List of accessed URLs if a browser exploit is detected.

String

docList

List of accessed documents if a file exploit is detected.

String

version

Content of the Version attribute of the process metadata.

String

vulnerable

Indicates if the application is considered vulnerable or not.

Boolean

Related Topics

Security Incidents Dashboard