About the ThreatSync+ Summary Page

Applies To: ThreatSync+ NDR, ThreatSync+ SaaS

The Network Summary page opens by default when you select Monitor > ThreatSync+. This page provides an overview of trends in your network and includes links to detailed information about Smart Alerts, policy alerts, device risks, and network traffic.

Available pages and features vary and depend on your license type. Throughout this documentation, ThreatSync+ refers generally to all products. If you do not see a page or feature in the ThreatSync+ UI, it is not supported by your product.

Screenshot of the Summary page in the Monitor menu for ThreatSync+ NDR

For more information about the Summary page, go to these sections:

Network Threat Score

ThreatSync+ delivers actionable intelligence in the form of a network threat score, which aggregates threat scores for internal nodes, subnets and zones, and users. You can see the current threat score in the Network Threat Score widget.

Screenshot of the Network Threat Score widget in ThreatSync+ NDR

ThreatSync+ calculates two types of threat scores:

  • IP address or Device Threat Score — ThreatSync+ uses advanced analytics to calculate a threat score for every internal IP address in your network. Parameters used in this calculation include Smart Alerts, policy alerts, and behaviors and events that involve the node. This score updates every 30 minutes to provide a measure of the threats and vulnerabilities detected by ThreatSync+.
  • Group Threat Score — A group can be a subnet (internal organization) in your network, an internal zone (all critical devices), or your entire network. ThreatSync+ aggregates the node scores to show a metric for your entire network as well as for each of the subnet organizations you configure.

ThreatSync+ uses the threat score categories:

  • Very High — 91-100
  • High — 71-90
  • Medium — 51-70
  • Low — 31-50
  • Very Low — 0-30

The Network Threat Score widget includes several charts and counters:

  • Current Network Threat Score
  • Network Threat Score Trend
  • Distribution of Threat Score by Subnet
  • Distribution of Threat Score by Device

Subnets and Organizations

The Subnets and Organizations tab in the Network Threat Score widget shows an aggravated threat score for each internal organization. An internal organization is a collection of internal IP address ranges that represent one or more subnets or ranges of IP addresses. For more information, go to Configure Subnets and Organizations.

Screenshot of the Subnets and Organizations tab on the Network Threat Score widget on the Summary page

The Subnets and Organizations tab shows these details:

  • Threat Score
  • Trend
  • Organization Name
  • Active IP Addresses
  • Recent Active Devices
  • Threat Score Trend

Zones

The Zones tab shows the aggregated threat score for each zone. A zone is a group of network devices. For more information, go to Manage ThreatSync+ Zones.

Screenshot of the Zones tab on the Network Threat Score widget on the Summary page

The Zones tab shows these details:

  • Threat Score
  • Trend
  • Type
  • Name
  • Description
  • Members
  • Recent Active Devices
  • Threat Score Trend

Total Users

User widgets and information are only available with a ThreatSync+ SaaS license. For more information, go to About ThreatSync+ SaaS Licenses.

The Total Users widget shows the total number of users detected in the last seven days that are associated with a ThreatSync+ SaaS integration. For example, Microsoft Office 365. To see details of a user, click the Access IP address next to a user.

The User Details page shows the remediation status, login history and user history for a specific user and provides details about user activity associated with actions taken, policy alerts, Smart Alerts, and device activity. The User Details page also shows the threat score associated with the user at the time of the activity and how the threat score changes over time based on user activity. The current user threat score is at the top of the User Details page. This user score contributes to the overall network threat score. For more information, go to Network Threat Score.

You must have a ThreatSync+ NDR license to view Access IP address user details. For more information, go to About ThreatSync+ NDR Licenses.

Screenshot of the Total Users tab on the ThreatSync+ Summary page, Monitor menu

For more information about the User Details page, go to ThreatSync+ Users.

Open Smart Alerts

The Open Smart Alerts widget shows a list of open Smart Alerts, and two charts that show different views of Smart Alert details.

Open Smart Alerts Over Time

The Open Smart Alerts Over Time chart shows a count of open Smart Alerts for a specified time period.

Screenshot of the Open Smart Alerts Over Time graph

You can view open alerts for these time periods:

  • 24 hours
  • 7 days
  • 30 days
  • 90 days

The default time period is 7 days.

Smart Alerts by Major Actor and Type

The Smart Alerts by Major Actor and Type chart shows a count of Smart Alert types by major actor for a specified time period. A major actor is the device that is associated with malicious activity. The major actor can be the device that is responsible for the threat, or it might be the compromised device that an attacker uses to carry out the malicious behavior.

Screenshot of the Smart Alerts by Major Actor and Type chart

Policy Alerts

The Policy Alerts widget shows a list of detected policy violations. A policy alert indicates that a user or device violated a specific policy. For more information, go to About Policy Alerts.

Screenshot of the Policy Alert widget on the Summary page

Four charts are available on the Policy Alerts widget:

  • Policy Alerts by Tag
  • Most Common Policy Types
  • Policy Alerts Over Time
  • Policy Alerts by Device or IP

Click a chart to view more details about the policy alert. For more information, go to About Policy Alerts.

For more information, go to Manage Devices.

Total Active Devices

The Total Active Devices widget shows a summary of device activity for all active devices on your network.

Screenshot of the Total Devices widget on the Summary page

Monitoring your network devices for unusual activity can help you identify potential security threats and vulnerabilities.

Four charts provide visibility into device activity and show these device summary details:

  • Devices Over Time — The number of devices on your network over a specified time period.
  • Recent Unidentified Private Devices — An interactive chart that shows a list of unidentified private devices detected on your network. Click an IP address to view more details about the device activity.
  • Top Blocklist IP Addresses — The most commonly detected IP addresses on the blocklist over a specified time period.
  • Most Active Source Addresses — The source IP addresses with the highest packet count over a specified time period.

Total Traffic

The Total Traffic widget shows several charts and counters about network traffic and events over time.

Activity by Source Device Table

The Activity by Source Device table shows the type of network traffic, what version of Fireware your Fireboxes are running, and whether the version is supported by ThreatSync+.

The table shows these columns:

  • Device Name — Name of the device that sends data through the collector.
  • Type — Windows Log Agent if the device sends DHCP logs, or NetFlow/SFlow if the device sends NetFlow or sFlow data.
  • Last Seen — The time and date when the last log was received from the device.
  • Log Count — The number of logs processed.

Collection agents that send data to ThreatSync+ also show on the Activity by Source Device table. For more information, go to About ThreatSync+ NDR Collectors.

ThreatSync+ requires Fireware v12.10.3 or higher.

Screenshot of the Total Traffic widget on the Summary page

For more information about how to monitor traffic, go to Investigate ThreatSync+ Traffic.

User Activity

User widgets and information are only available with a ThreatSync+ SaaS license. For more information, go to About ThreatSync+ SaaS Licenses.

The User Activity widget includes a User Activity Log Count chart that shows a count of user activity, and the date and time the user activity occurred for a specified time period. User activity can include these user events:

File and Folder Events

File and folder events includes these user activities:

  • Anonymous File Activity
  • External File Activity
  • File or Folder Shared With External User
  • Internal File and Folder Shared With Public
  • Unusual Change in File Activity

Login Events

Login events include these user activities:

  • High Rate of Failed Login Attempts
  • Impossible Travel Detected for User
  • New Remote Access IP for a User
  • New Remote Access Location for a User
  • Unexpected Login Detected
  • Unusual Access Location for a User
  • Unusual Access Time for a User

Screenshot of the User Activity Log Count chart on the User Activity widget, Summary page

To view user activity details, click a date on the chart and click View Detail.

User Activity Details

If you click View Detail for a specific date on the User Activity Log Count chart, you can view details about user events, file and folder events, or login events for a specified time period. These details include the anomaly type, and the main triggering event of the activity.

Screenshot of the User Events page, User Activity widget, on the Summary page in Monitor > ThreatSync+

For more information about user activity and events, go to ThreatSync+ Users.

Download Charts

To download a chart, click The Export to CSV icon next to the chart.

Related Topics

About ThreatSync+ NDR

Monitor ThreatSync+

Configure ThreatSync+