Example: Investigating maximum offenses reached

View details about a maximum number of offenses notification. On the System Overview page, you find that the maximum number of offenses is reached. The notification might be the result of a rule that was added or modified.

Notifications often accompany abnormal activity that you might want to investigate.

Procedure

  1. Click the navigation menu icon, and then select System Overview from the list.

    By reviewing the system overview, you might find that the number of offenses reached the maximum limit and that there is a spike in activity.

    Figure 1. System Overview
    System Overview
  2. Click the Maximum active offense reached notification on the graph to view the details.

    By reviewing the notification, you might find that the number of offenses reached the maximum limit and that new offenses can't be created.

    Figure 2. Notification panel
    Notification panel
  3. Click the navigation menu icon, and then select Activity from the list.
  4. From the Activity graph, click the same time range where the notification is displayed on the System Overview page.

    In the detailed list of activities for the time range that you selected, CRE rule was added displays in the list of activities below the graph.

  5. Click the CRE rule was added activity item to view more information about the activity.

    By reviewing the details in the notification panel, you find that a CRE Rule was added, which could cause a spike in activity and the Maximum active offenses created notification to display. By viewing the activity, you can determine whether the change that the user made to the system is correct. You might find that the user made an error by adding all log sources to the false positive building block, which caused no offenses to be created.

    Figure 3. Activity Event detail
    Activity Event detail