Table of Contents

• ALERT menu
  • Alerts display
  • Alerts section
    • Alerts tab
    • Aggregated alerts tab
  • Threats section
  • Time filter
  • Alert listing automatic refresh
  • Delete alerts
• Agents
  • Agents tab
    • Interaction with the Name column
    • Agents deletion
  • Heartbeats tab
    • Interaction with the Agent column
    • Interaction with the node address column
    • Interaction with the Node address column
    • Interaction with the Model column
    • Heartbeats deletion
  • Aggregated heartbeats
• ADMIN menu
  • Scheduling section
  • Preferences section
    • The My account tab
    • The Filters tab
      • Filters list
      • Filter creation or edition
      • Filter definition form on a data type
• ? menu
  • Apps section
  • About section

ALERT menu¶

The ALERT menu provides a first level of alerts visualization. This is the main page of Prelude SIEM.

Alerts display¶

Alerts are displayed with four different colors:

• Orange is for low severity,
• Brown is for medium severity,
• Red is for high severity,
• Blue is for information.

Prewikka automatically aggregates alerts according to their origin, destination, and time of occurrence. The aggregated alerts are displayed in a single row preceded by the number of alerts included.

To see the alert details:

• Click the name of the alert
• In the case of aggregated alerts, expand the list of alerts by clicking the aggregated alert name, then click the alert of which you want the details

To get more information about an alert, click on the different links below its name: vendor-specific, cve, bugtraqid, etc.

To get more information about sources and targets:

• Click the url to choose between filter on this url or see the whois
• Click the port to see the Port Lookup

To define the number of alerts per page you can set the Limit parameter in the Control Panel on the bottom left of the screen.

To navigate through pages use the Alerts Navigation panel on the very bottom of the screen.

Alerts section¶

In the Alerts section, there are two tabs by default.

Alerts tab¶

The Alerts tab is displayed by default when you click on the Alerts section. It displays the alerts listing including all alerts types (simple alerts and correlation alerts).

Below a description of the two main types of alerts:

• Simple alerts: a unitary alert sent by a Prelude SIEM sensor (Prelude LML, Snort, Ossec, etc), it concerns a single security event;
• Correlation alerts: a correlation alert is generated by the correlation engine after analyzing one or more alerts. These alerts allow operators to see attack scenarios or to have an additional information about a simple alert (blacklist, target, etc).

Aggregated alerts tab¶

Displays the list of alerts in an aggregated way.

Threats section¶

The Threats section displays correlation alerts in the same way as the Alerts tab.

For both tabs (Alerts and Threats), alerts details are displayed in a table containing the following information:

• #: The first column is used to display aggregated alerts number;
• Date: Alert creation date. If more than one alert are displayed in a row (aggregation), a period is displayed;
• Classification: The name of the alert, or other information allowing the operator to determine its nature. It is a
  first indication about the alert (example: Remote Login, Brute force attack);
• Source: IP address or FQDN of the alert source;
• Target: IP address or FQDN of the alert target;
• Analyser: Indicators related to analyzers originating the alerts.

Prelude-Correlator must be installed and set in order to receive correlation alerts. Learn more about Installing Prelude Correlator

In Prewikka all correlation alerts are automatically displayed in the Threats tab.

With the PrewikkaPro version you can create your own customized tabs. Learn more about this functionnality in the Views tab chapter on the Settings page

Time filter¶

• The Time filter :
  On the upper right of the screen, you will find the Control Panel which will allow you to set the Period parameters.
  The Period setting allows you to define the time period you want to display from one minute to an unlimited period of time.

Alert listing automatic refresh¶

The Control Panel on the upper right of the screen allows you to set the auto refresh functionality.
Just select the refresh period field :

• 30 secondes
• 1 minutes
• 5 minutes
• 10 minutes
• Inactive

Delete alerts¶

On the bottom right of the alert listing, when you are in Expert mode you will find the Delete button. Select the alerts you want to delete by checking the corresponding boxes on the right of the event listing. Or check the box on the right of the Delete button to select all the alerts. Then click Delete.

Agents¶

The Agents section ables you to manage and monitor your analyzers.

In the Agents section, there are three tabs by default.

Agents tab¶

This tab is displayed by default when clicking on the Agents section. It lists all agents registered to Prelude SIEM and
monitors their connection status.
Agents are grouped by location based on their own configurations. Each location is composed of one or more nodes
and one or more agents are listed for each node.

• For each location, the number of nodes, agents and agents per status are displayed;
• For each node, the IP address and OS information are displayed.

Agents are listed in a table composed of seven columns, each column of this table is explained below:

Field	Functionalities	Example
Delete	Checkbox used to select an agent in order to delete its alerts or heartbeats.	.
Name	The agent name	Prelude-LML
Model	The agent model	Prelude LML
Version	The agent version	3.1.0
Class	The agent class	Log Analyzer
Latest heartbeat	The elapsed time since the last heartbeat was received	2 minutes ago
Status	The agent status	Online

The following color code is used for agents statuses:

Agent status	Color	Explanation
Online	Green	The agent sent a heartbeat to the manager according to the specified time interval. The agent is working.
Missing	Red	The agent didn’t send a heartbeat to the manager in the specified time interval. The sensor is no longer in working condition.
Offline	Grey	The agent sent a heartbeat and indicated it was the last. The agent is no longer in working condition.
Unknown	Light salmon	The agent is probably not connected to Prelude SIEM. The time interval of heartbeats hasn’t been defined.

By clicking on the location name, you get the nodes listing with the node name, its IP address, the OS running on it, the version of the OS and the number and status of its analyzers.

By clicking on the number of analyzers in the nodes listing, you get the analyzers listing.

Interaction with the Name column¶

By clicking on an agent name, a pop-up menu is displayed and allows operators to choose one of three actions:

• Alert listing: clicking on this link displays alerts generated by this agent;
• Heartbeat listing: clicking on this link displays this agent’s heartbeats;
• Heartbeat analysis: clicking on this link displays more details about the agent and its historic.

The agent heartbeat analysis contains the following information:

Column	Explanation	Example
Name	The agent name	Ajaccio-LML
Model	The agent model	Prelude LML 4.0.0
OS	The operating system	kernel Linux 2.6.32-573.12.1.el6.x86_64
Node name	Where the host or the sensor is installed	Paris
Node location	The host location	France
Node address	The host address	172.25.35.21
Latest heartbeat	The elapsed time since the last heartbeat was received	8 minutes ago
Current status	The current status of the agent	online
Events	Heartbeats historic analysis	No anomaly in the last 30 heartbeats (one heartbeat every 9 minutes average)

Agents deletion¶

From the Agents tab, it is possible to select one or more agents by clicking on the checkboxes on the left of each row and delete associated alerts and/or heartbeats information. To do that, you have to select the concerned agents, then select the type of information to delete by checking the corresponding checkbox in the bottom right of the page, then click on the Delete button.

---

Note: When an agent is disconnected, if the heartbeats are deleted, the agent will no more be displayed in the agents list.

---

Heartbeats tab¶

A heartbeat is a signal sent periodically by an agent to indicate its status (connected, terminating the connection, etc).
The agent monitoring occurs through heartbeats.

The Heartbeats tab displays heartbeats of all known agents (agents which were registered and which connected at least
one time).

Heartbeats information are displayed in a table composed of five columns. Each column is explained below:

Column	Explanation	Example
Agent	The agent name	prelude-lml
Node address	The agent node IP address	192.168.1.30
Node name	The agent node name	Lyon
Model	The agent model	Prelude LML
Date	Date and time of the last heartbeat sent by the agent	09/18/2015 11:39

Interaction with the Agent column¶

By clicking on the agent name, a pop-up menu is displayed.

The entry See heartbeat details displays details about the selected heartbeat. This includes details about the agent and its status.
The Filter on agent option allows to display only heartbeats concerning this agent.

Interaction with the node address column¶

Click on the node address of an agent in the heartbeats list, a pop-up menu providing the possibility to filter on this address is displayed. Clicking on the Filter on address option allows you to display heartbeats of this node’s agents.

Interaction with the Node address column¶

Clicking on a node name from the heartbeats list allow to display heartbeats of agents hosted in this node.

Interaction with the Model column¶

Clicking on a model allows to show heartbeats of agents of this model (example: heartbeats of all Prelude LML agents).

Heartbeats deletion¶

It is possible to delete heartbeats from the heartbeats listing. To do that, check all heartbeats to be deleted then click on the Apply button in the bottom right of the page.

Aggregated heartbeats¶

Like the previous tab, but aggregated.

ADMIN menu¶

Scheduling section¶

This page lists all tasks that can be scheduled for a periodic execution. These tasks include in particular:

• The periodic generation of reports;
• The management of the replay queue;
• The fetching of vulnerability data;
• The fetching of monitoring data;
• The deletion of old heartbeats of Prelude agents;
• The deletion of old alerts;
• The deletion of the search history.

The table has the following columns:

• Name: Name of the periodic task;
• Schedule: Schedule type (daily, monthly, etc.);
• User: The user responsible for the task, or “SYSTEM” if it is a system task;* Last execution: the time since the task’s last execution, or the error message if need be;
• Next execution: The time until the task’s next execution.

Each of these tasks can be enabled or disabled thanks to the buttons located below the table.
Furthermore, the execution interval of each task can be configured by clicking on the task’s name. This configuration relies on the cron table syntax (Wikipedia - Cron), namely the definition of the five following values:

• The minutes;
• The hours;
• The day of the month;
• The number (or the english abbreviation) of the month;

The number (or the english abbreviation) of the week’s day.
For each value, possible notations are:

• *: every unit (0, 1, 2, 3, 4. . . );
• 5,8: units 5 and 8;
• 2-5: units from 2 to 5 (2, 3, 4, 5);
• */3: every 3 units (0, 3, 6, 9. . . );
• 10-20/3: every 3 units, between the tenth and the twentieth (10, 13, 16, 19).

If the “day of the month” and the “day of the week” are both given, the task will be executed when one of the fields
matches.

---

Note: Some of the tasks need to be configured in the Prelude GUI configuration file, besides their activation in the
web interface. See the configuration documentation for more information.

---

Preferences section¶

This section allows to configure user preferences, like language, timezone, views and filters configuration.

The My account tab¶

The My account tab allows you to set your preferences and see your permissions.

The My account tab allows operators to edit parameters of their own account. All the following elements are configurable
(except the first one) and user-specific:

• Login: ID of the operator. It is the login used for connection.
• Name: full name of the operator.
• Email: email of the operator.
• Language: language of the GUI.
• Theme: theme of the GUI.
• Timezone: timezone of the operator. All displayed data will be in this timezone.

The Filters tab¶

The Filters tab allows operators to create their own advanced filters based on alerts, heartbeats or logs.
The interface is organized as a table. The creation or the edition of a filter occurs through a form in a widget.

Filters list¶

Filters of the operator are presented as a table. The columns are the following:

• Name: Name of the filter. A click on the name opens the filter’s edition form;
• Alerts: Indicates whether the filter concerns alerts or not;
• Heartbeats: Indicates whether the filter concerns heartbeats or not;
• Description: Description of the filter.

Available actions:

• Create: Opens the filter’s creation form;
• Duplicate: With a filter selected, the filter form opens with the same content as the filter but without a name for duplicating it;
• Delete: Delete the selected filters.

Filter creation or edition¶

The filter creation or edition form is organized like this:

• Name: Name of the filter;
• Description: Description of the filter;
• Alerts: Sub-form for defining a filter on alerts;
• Heartbeats: Sub-form for defining a filter on heartbeats.

Filter definition form on a data type¶

The form represents a logical expression. At every imbrication level, you can choose between an AND and an OR operator. This corresponds to the blue button with the dropdown list displayed at each level.

Inside each imbrication level, it is possible to:

• List the logical expressions to match. A logical expression is organized into three blocks: the path on which to validate a value, an operator (from equality to regular expression) and the searched value. The trash icon can be used to delete the unitary logical expression.
• Button +: Add a new unitary logical expression at the current imbrication level.
• Button &: Add a new logical imbrication level.
• Click on the Save button to save the changes made.

? menu¶

Apps section¶

The Apps tab allows operators to manage Prelude GUI plugins. The following actions can be done from this page:

• Enable a plugin;
• Disable a plugin;
• Update a plugin.

When all Prelude GUI plugins are installed and up-to-date, this page shows the list of those plugins and offers the possibility to enable or disable them.

When one or more plugins are not installed or not up-to-date, a notification is displayed in this page. Concerned plugins are grouped and it is possible to update or install them from the GUI.

About section¶

The About section provides different information about the Prelude SIEM software. That includes the software version, a description of the services provided by the CS company, the company contact details and copyright details.