Evidence: Signature sidebar

The Evidence sidebar is expanded by clicking an evidence link in the Evidence column of the Threats tab. Click the cancel/close to close the sidebar.

The evidence type of Signature is displayed at the top of the sidebar.

Click the Network pages icon Explore angle down button then select one of the options from the pull-down menu. These options are deep links into the Network explorer page (Kibana interface), providing access to all the information related to the signature evidence.

Click the Ref event angle right to access the Network event details page and the full details of the associated event.

If available, a brief description of the evidence is provided.

Threat details

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Activity

If available, displays the detected current activity of the threat.

Confidence

Indicates the probability that the detected threat is malicious.

For events that show analysis results, for example, a file download, a Score is displayed.

First seen array Last seen

A graph with the timestamp from when the evidence was first and last seen.

The Duration is displayed below the graph.

Traffic details

The Reference event traffic widget provides an overview of the traffic observed between the hosts involved in the referenced event. At least one host involved in the event is a monitored host. The communicating host may be a monitored host or an external system.

The arrow indicates the traffic direction between the hosts.

For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, home , or network icon may be displayed. More than one may be displayed. If available, a host name is displayed. If available from DHCP traffic monitoring, the MAC address of the host is displayed. Any host tags applied to the host are displayed. Click the Intelligence pages icon icon to view host details in Intelligence. If available, click the globe icon to view host details in the WHOIS pop-up.

Detector summary

A summary of the detector is displayed. For more details, click the More details angle right link to view the Detector pop-up.

Detector name

The name of the detector.

Goal

Short description of the goal of the detector.

IDS Rule

Click the View rule (if available) link to display the Detector pop-up. It may contain an IDS rule.