Selecting an offense to investigate

The Offenses tab shows the suspected security attacks and policy breaches that are occurring on your network. Offenses are listed with the highest magnitude first. Investigate the offenses at the top of the list first.

About this task

Use the navigation options on the left to view the offenses from different perspectives. For example, select By Source IP or By Destination IP to view information about repeat offenders, IP addresses that generate many attacks, or systems that are continually under attack. You can further refine the offenses in the list by selecting a time period for the offenses that you want to view or by changing the search parameters.

You can also search for offenses that are based on various criteria. For more information about searching offenses, see Offense searches.

Procedure

  1. Click the Offenses tab.
  2. On the navigation menu, select the category of offenses that you want to view.
  3. Optional: Depending on the category that you selected, you may be able to select the following filtering options:
    1. From the View Offenses list, select an option to filter the list of offenses for a specific time frame.
    2. In the Current Search Parameters pane, click Clear Filter links to refine the list of offenses.
  4. To view all global offenses that are occurring on the network, click All Offenses.
  5. To view all offenses that are assigned to you, click My Offenses.
  6. To view offenses grouped on the high-level category, click By Category.
    1. To view low-level category groups for a particular high-level category, click the arrow icon next to the high-level category name.
    2. To view a list of offenses for a low-level category, double-click the low-level category.

      Count fields, such as Event/Flow Count and Source Count do not consider the network permissions of the user.

  7. To view offenses grouped by source IP address, click By Source IP.
    The list of offenses displays only source IP addresses with active offenses.
    1. Double-click the Source IP group that you want to view.
    2. To view a list of local destination IP addresses for the source IP address, click Destinations on the Source page toolbar.
    3. To view a list of offenses that are associated with this source IP address, click Offenses on the Source page toolbar.
  8. To view offenses grouped by destination IP address, click By Destination IP.
    1. Double-click the Source IP address group that you want to view.
    2. To view a list of offenses that are associated with the destination IP address, click Offenses on the Destination page toolbar.
    3. To view a list of source IP addresses associated with the destination IP address, click Sources on the Destination page toolbar.
  9. To view offenses grouped by network, click By Network.
    1. Double-click the Network that you want to view.
    2. To view a list of source IP addresses associated with this network, click Sources on the Network page toolbar.
    3. To view a list of destination IP addresses associated with this network, click Destinations on the Network page toolbar.
    4. To view a list of offenses that are associated with this network, click Offenses on the Network page toolbar.
  10. Double-click the offense to see additional information.

What to do next

Use the information in the offense summary and details to investigate the offense and take necessary actions.