Events

The Events tab displays a detailed list of Events in the network involving the asset, as detected by OT Security Plugins. You can customize the display settings by adjusting which columns are displayed and where each column is positioned. The events can be grouped according to different categories (for example Event type, Severity, Policy Name). You can also sort and filter the Event lists as well as searching for search text. For an explanation of the customization features, see Management Console User Interface Elements.

The bottom portion of the page shows detailed information about the selected Event, divided into tabs. Only tabs relevant to the Event type of the selected Event are shown. For more information about Events, see Events.

There is an Actions button at the top of the pane, which enables you to take the following action on the selected Event/s:

  • Resolve – Mark this Event as Resolved.

  • Download Capture File – Download the PCAP file for this Event.

  • Exclude from Policy – Create a Policy Exclusion for this Event.

Detailed information about these actions is given in the Events chapter.

The information shown for each Event listing is described in the following table:

Parameter Description
Log ID The ID generated by the system to refer to the Event.
Time The date and time that the Event occurred.
Event Type Describes the type of activity that triggered the Event. Events are generated by Policies that are set up in the system. For an explanation of the various types of Policies, see Policy Types.
Severity

Shows the severity level of the Event. The following is an explanation of the possible values:

  • None – No reason for concern.

  • Info – No immediate reason for concern. Should be checked out when convenient.

  • Warning – Moderate concern that potentially harmful activity has occurred. Should be dealt with when convenient.

  • Critical – Severe concern that potentially harmful activity has occurred. Should be dealt with immediately.

Policy Name The name of the Policy that generated the Event. The name is a link to the Policy listing.
Source Asset The name of the asset that initiated the Event. This field is a link to the Asset listing.
Source Address The IP or MAC of the asset that initiated the Event.
Source Address The IP or MAC of the asset that initiated the Event.
Destination Asset The name of the asset that was affected by the Event. This field is a link to the Asset listing.
Destination Address The IP or MAC of the asset that was affected by the Event.
Protocol When relevant, this shows the protocol used for the conversation that generated this Event.
Event Category

Shows the general category of the Event.

NOTE: On the All Events screen, Events of all types are shown. Each of the specific Event screens shows only Events of the specified category.

The following is a brief explanation of the Event categories (for a more detailed explanation see Policy Categories and Sub-Categories):

  • Configuration Events – this includes two sub-categories

  • Controller Validation Events – These policies detect changes that take place in the controllers in the network.

  • Controller Activity Events – Activity Policies relate to the Activities that occur in the network (that is, the “commands” implemented between assets in the network).

  • SCADA Events – policies that identify changes made to the data plane of controllers.

  • Network Threats Events – these Policies identify network traffic that is indicative of intrusion threats.

  • Network Events – Policies that relate to the assets in the network and the communication streams between assets.

Status Shows whether or not the Event has been marked as resolved.
Resolved By For resolved Events, shows which user marked the Event as resolved.
Resolved On For resolved Events, shows when the Event was marked as resolved.
Comment Shows any comments that were added when the Event was resolved.