Applies To: WatchGuard Advanced Reporting Tool
On the Detailed Information tab, you can see information about the endpoints involved in a security incident. You can filter the information on the tab to determine the origin of a security incident.
To filter the data table to determine the origin of a security incident:
- In the WatchGuard EPDR or WatchGuard EDR web UI, select Status.
- From the left pane, select Advanced Visualization Tool.
- In the tab that opens, from the left pane, select Advanced Reporting > Security Incidents.
- Select the date range for the data you want to see.
- Click Refresh.
- Select the Detailed Information tab.
- Review the list of endpoints in the Endpoints Involved in Incidents tile.
- To open the corresponding data table, from the menu , select Go to Query.
- Above the data table that opens, in the table legend, click oem.panda.paps.alert.
- In the full data table, to filter the table by machine name, click the down arrow in the machineName column.
- Select the check box next to a machine name.
The Operations Over Columns dialog box opens.
- Click Apply.
- To filter the alerttype column by malware, repeat steps 8 – 10.
The table shows the malware name (itemName) and location (itemPath).
- Click to add itemname and itempath columns to the data table.
- In the toolbar, click Toggle Query Editor.
- Clear the existing code and paste this SQL code in the text box:
where alertType = "Malware" or alertType = "PUP"
or alertType = "Exploit"
group every 30m by alertType, machineName,itemName, itemPath
select count() as count
- Click Run.