Table of Contents
- ALERT menu
- ADMIN menu
- ? menu
The ALERT menu provides a first level of alerts visualization. This is the main page of Prelude SIEM.
Alerts display¶Alerts are displayed with four different colors:
- Orange is for low severity,
- Brown is for medium severity,
- Red is for high severity,
- Blue is for information.
Prewikka automatically aggregates alerts according to their origin, destination, and time of occurrence. The aggregated alerts are displayed in a single row preceded by the number of alerts included.To see the alert details:
- Click the name of the alert
- In the case of aggregated alerts, expand the list of alerts by clicking the aggregated alert name, then click the alert of which you want the details
To get more information about an alert, click on the different links below its name: vendor-specific, cve, bugtraqid, etc.To get more information about sources and targets:
- Click the url to choose between filter on this url or see the whois
- Click the port to see the Port Lookup
To define the number of alerts per page you can set the Limit parameter in the Control Panel on the bottom left of the screen.
To navigate through pages use the Alerts Navigation panel on the very bottom of the screen.
In the Alerts section, there are two tabs by default.
The Alerts tab is displayed by default when you click on the Alerts section. It displays the alerts listing including all alerts types (simple alerts and correlation alerts).Below a description of the two main types of alerts:
- Simple alerts: a unitary alert sent by a Prelude SIEM sensor (Prelude LML, Snort, Ossec, etc), it concerns a single security event;
- Correlation alerts: a correlation alert is generated by the correlation engine after analyzing one or more alerts. These alerts allow operators to see attack scenarios or to have an additional information about a simple alert (blacklist, target, etc).
Aggregated alerts tab¶
Displays the list of alerts in an aggregated way.
The Threats section displays correlation alerts in the same way as the Alerts tab.For both tabs (Alerts and Threats), alerts details are displayed in a table containing the following information:
- #: The first column is used to display aggregated alerts number;
- Date: Alert creation date. If more than one alert are displayed in a row (aggregation), a period is displayed;
- Classification: The name of the alert, or other information allowing the operator to determine its nature. It is a
first indication about the alert (example: Remote Login, Brute force attack);
- Source: IP address or FQDN of the alert source;
- Target: IP address or FQDN of the alert target;
- Analyser: Indicators related to analyzers originating the alerts.
Prelude-Correlator must be installed and set in order to receive correlation alerts. Learn more about Installing Prelude Correlator
In Prewikka all correlation alerts are automatically displayed in the Threats tab.
With the PrewikkaPro version you can create your own customized tabs. Learn more about this functionnality in the Views tab chapter on the Settings page
- The Time filter :
On the upper right of the screen, you will find the Control Panel which will allow you to set the Period parameters.
The Period setting allows you to define the time period you want to display from one minute to an unlimited period of time.
Alert listing automatic refresh¶The Control Panel on the upper right of the screen allows you to set the auto refresh functionality.
Just select the refresh period field :
- 30 secondes
- 1 minutes
- 5 minutes
- 10 minutes
On the bottom right of the alert listing, when you are in Expert mode you will find the Delete button. Select the alerts you want to delete by checking the corresponding boxes on the right of the event listing. Or check the box on the right of the Delete button to select all the alerts. Then click Delete.
The Agents section ables you to manage and monitor your analyzers.
In the Agents section, there are three tabs by default.
Agents tab¶This tab is displayed by default when clicking on the Agents section. It lists all agents registered to Prelude SIEM and
monitors their connection status.
Agents are grouped by location based on their own configurations. Each location is composed of one or more nodes
and one or more agents are listed for each node.
- For each location, the number of nodes, agents and agents per status are displayed;
- For each node, the IP address and OS information are displayed.
Agents are listed in a table composed of seven columns, each column of this table is explained below:
|Checkbox used to select an agent in order to delete its alerts or heartbeats.
|The agent name
|The agent model
|The agent version
|The agent class
|The elapsed time since the last heartbeat was received
|2 minutes ago
|The agent status
The following color code is used for agents statuses:
|The agent sent a heartbeat to the manager according to the specified time interval. The agent is working.
|The agent didn’t send a heartbeat to the manager in the specified time interval. The sensor is no longer in working condition.
|The agent sent a heartbeat and indicated it was the last. The agent is no longer in working condition.
|The agent is probably not connected to Prelude SIEM. The time interval of heartbeats hasn’t been defined.
By clicking on the location name, you get the nodes listing with the node name, its IP address, the OS running on it, the version of the OS and the number and status of its analyzers.
By clicking on the number of analyzers in the nodes listing, you get the analyzers listing.
Interaction with the Name column¶By clicking on an agent name, a pop-up menu is displayed and allows operators to choose one of three actions:
- Alert listing: clicking on this link displays alerts generated by this agent;
- Heartbeat listing: clicking on this link displays this agent’s heartbeats;
- Heartbeat analysis: clicking on this link displays more details about the agent and its historic.
The agent heartbeat analysis contains the following information:
|The agent name
|The agent model
|Prelude LML 4.0.0
|The operating system
|kernel Linux 2.6.32-573.12.1.el6.x86_64
|Where the host or the sensor is installed
|The host location
|The host address
|The elapsed time since the last heartbeat was received
|8 minutes ago
|The current status of the agent
|Heartbeats historic analysis
|No anomaly in the last 30 heartbeats (one heartbeat every 9 minutes average)
From the Agents tab, it is possible to select one or more agents by clicking on the checkboxes on the left of each row and delete associated alerts and/or heartbeats information. To do that, you have to select the concerned agents, then select the type of information to delete by checking the corresponding checkbox in the bottom right of the page, then click on the Delete button.
Note: When an agent is disconnected, if the heartbeats are deleted, the agent will no more be displayed in the agents list.
A heartbeat is a signal sent periodically by an agent to indicate its status (connected, terminating the connection, etc).
The agent monitoring occurs through heartbeats.
The Heartbeats tab displays heartbeats of all known agents (agents which were registered and which connected at least
Heartbeats information are displayed in a table composed of five columns. Each column is explained below:
|The agent name
|The agent node IP address
|The agent node name
|The agent model
|Date and time of the last heartbeat sent by the agent
Interaction with the Agent column¶
By clicking on the agent name, a pop-up menu is displayed.
The entry See heartbeat details displays details about the selected heartbeat. This includes details about the agent and its status.
The Filter on agent option allows to display only heartbeats concerning this agent.
Interaction with the node address column¶
Click on the node address of an agent in the heartbeats list, a pop-up menu providing the possibility to filter on this address is displayed. Clicking on the Filter on address option allows you to display heartbeats of this node’s agents.
Interaction with the Node address column¶
Clicking on a node name from the heartbeats list allow to display heartbeats of agents hosted in this node.
Interaction with the Model column¶
Clicking on a model allows to show heartbeats of agents of this model (example: heartbeats of all Prelude LML agents).
It is possible to delete heartbeats from the heartbeats listing. To do that, check all heartbeats to be deleted then click on the Apply button in the bottom right of the page.
Like the previous tab, but aggregated.
Scheduling section¶This page lists all tasks that can be scheduled for a periodic execution. These tasks include in particular:
- The periodic generation of reports;
- The management of the replay queue;
- The fetching of vulnerability data;
- The fetching of monitoring data;
- The deletion of old heartbeats of Prelude agents;
- The deletion of old alerts;
- The deletion of the search history.
- Name: Name of the periodic task;
- Schedule: Schedule type (daily, monthly, etc.);
- User: The user responsible for the task, or “SYSTEM” if it is a system task;* Last execution: the time since the task’s last execution, or the error message if need be;
- Next execution: The time until the task’s next execution.
Furthermore, the execution interval of each task can be configured by clicking on the task’s name. This configuration relies on the cron table syntax (Wikipedia - Cron), namely the definition of the five following values:
- The minutes;
- The hours;
- The day of the month;
- The number (or the english abbreviation) of the month;
For each value, possible notations are:
- *: every unit (0, 1, 2, 3, 4. . . );
- 5,8: units 5 and 8;
- 2-5: units from 2 to 5 (2, 3, 4, 5);
- */3: every 3 units (0, 3, 6, 9. . . );
- 10-20/3: every 3 units, between the tenth and the twentieth (10, 13, 16, 19).
If the “day of the month” and the “day of the week” are both given, the task will be executed when one of the fields
Note: Some of the tasks need to be configured in the Prelude GUI configuration file, besides their activation in the
web interface. See the configuration documentation for more information.
This section allows to configure user preferences, like language, timezone, views and filters configuration.
The My account tab¶
The My account tab allows you to set your preferences and see your permissions.The My account tab allows operators to edit parameters of their own account. All the following elements are configurable
(except the first one) and user-specific:
- Login: ID of the operator. It is the login used for connection.
- Name: full name of the operator.
- Email: email of the operator.
- Language: language of the GUI.
- Theme: theme of the GUI.
- Timezone: timezone of the operator. All displayed data will be in this timezone.
The Filters tab¶
The Filters tab allows operators to create their own advanced filters based on alerts, heartbeats or logs.
The interface is organized as a table. The creation or the edition of a filter occurs through a form in a widget.
Filters list¶Filters of the operator are presented as a table. The columns are the following:
- Name: Name of the filter. A click on the name opens the filter’s edition form;
- Alerts: Indicates whether the filter concerns alerts or not;
- Heartbeats: Indicates whether the filter concerns heartbeats or not;
- Description: Description of the filter.
- Create: Opens the filter’s creation form;
- Duplicate: With a filter selected, the filter form opens with the same content as the filter but without a name for duplicating it;
- Delete: Delete the selected filters.
Filter creation or edition¶The filter creation or edition form is organized like this:
- Name: Name of the filter;
- Description: Description of the filter;
- Alerts: Sub-form for defining a filter on alerts;
- Heartbeats: Sub-form for defining a filter on heartbeats.
Filter definition form on a data type¶
The form represents a logical expression. At every imbrication level, you can choose between an AND and an OR operator. This corresponds to the blue button with the dropdown list displayed at each level.Inside each imbrication level, it is possible to:
- List the logical expressions to match. A logical expression is organized into three blocks: the path on which to validate a value, an operator (from equality to regular expression) and the searched value. The trash icon can be used to delete the unitary logical expression.
- Button +: Add a new unitary logical expression at the current imbrication level.
- Button &: Add a new logical imbrication level.
- Click on the Save button to save the changes made.
Apps section¶The Apps tab allows operators to manage Prelude GUI plugins. The following actions can be done from this page:
- Enable a plugin;
- Disable a plugin;
- Update a plugin.
When all Prelude GUI plugins are installed and up-to-date, this page shows the list of those plugins and offers the possibility to enable or disable them.
When one or more plugins are not installed or not up-to-date, a notification is displayed in this page. Concerned plugins are grouped and it is possible to update or install them from the GUI.
The About section provides different information about the Prelude SIEM software. That includes the software version, a description of the services provided by the CS company, the company contact details and copyright details.