1. Aeris
  2. Using the New Portal
  3. Security (New Portal)

 

Security Alarms (New Portal)

Avatar
Leslie Johnson

The Alarms page tracks all threat events and anomalies that occur within your account. This enables you to quickly and easily review and resolve threats as they occur. Each listed event includes an analysis view with additional event details.

In this article:

Basics

The Alarms screen displays a list of alarms that enables you to monitor anomalous activity in your account.

There are multiple alarm types:

  • Address Scan: Address scanning, conducted by attackers or compromised hosts/devices, targets a port of hosts in a specific subnet to discover vulnerabilities. The Address Scan alarm triggers if the following conditions are true:

    • A large enough number of hosts (e.g. more than 8) in a subnet/24 masks (often local subnets) are attempted by a device within a three-hour timespan.

    • Majority of the target addresses are not associated with the same fully-qualified domain name (FQDN).

    • More than 60% of the attempts are unsuccessful (including unanswered and rejected attempts).

  • Unclassified: Aerport uses three detection algorithms to detect anomalous netflows. If two of the algorithms agree that the flow is anomalous, the event is reported as an Unclassified alarm.
  • New IP: Triggers if a device acceses a new IP.

    Note: An IP is considered new if it has not been seen for the last 60 days.

  • New Port: Triggers if a device (with a known Server IP) accesses new port.

    Note: A Known server IP is a server IP where at least 50% of the account devices have communicated in the last week.

  • Port Scan: Port Scanning is conducted by attackers to determinine which network ports are open and could be receiving/sending data. The Port Scan alarm triggers if both of the following conditions are true:
    • A device attempts six ports or more for a specific host within three hours.
    • More than 80% of the attempts are unsuccessful. Unsuccessful attempts include unanswered and rejected ones (e.g., TCP-RST or ICMP-Unreach).
  • SIM Misuse: Triggers if Aerport detects an IMEI change for a device and significant traffic differences before/after the IMEI change.
  • Traffic Spike: Triggers if there is a sudden spike in device usage. For the Traffic Spike alarm to trigger, the device's aggregated data usage must exceed:
    • The base threshold (10K bytes).
    • 3.5 standard deviation from the mean of the previously observed traffic.

To access the Alarms screen, click Security > Alarms from the navigation menu.

Searching/Filtering Alarms

The following sections describe how to conduct searches and filter results in the Alarms table.

Using the Search Bar

To make locating specific threats and anomalous events easier, the Alarms table includes a search bar that enables you to find alarms using identifiers. To locate an alarm using the search bar:

  1. Click the search bar to open the search category drop-down menu.

  2. Select one of the following search categories:
    • Severity: Risk level of the event.
    • Device IP: IP address of the device.
    • Endpoint IP: IP address of the endpoint.
    • ICCID: Identification number of the SIM involved in the threat.
    • IMSI: Identification number of the device user.
  3. Input the information required to filter your search. For example, to search for alarms with a low severity, choose Severity from the search drop-down menu and then enter Low.

The Alarms list automatically updates according to the parameters you select.

Filtering by Alarm Type

The alarm type filter narrows which events are displayed by the alarm types. For a description of the different alarm types, see Basics.

To filter threat events by Alarm Type:

  1. Click All Types at the top left of the screen to open the drop-down menu.
  2. Check or uncheck the alarm types you want to see in the Alarms table.

The listed alarms update according to your selection.

Filtering by Status

The status bar above the Alarms table filters which alarms are displayed by the following status categories:

  • All: Encompasses all status categories.
  • New: Threat event has not been viewed.
  • Acknowledged: Threat event has been viewed but not remediated.
  • Dismissed: Threat event is no longer considered a threat.
  • Resolved: Threat event is addressed and settled.

To filter the displayed alarms by status, select an option from the status bar.

Filtering by Date

The Alarms table automatically displays threat events from the last seven days. To expand or narrow the timeframe of displayed threat events:

  1. Click Last 7 days at the top right of the screen.
  2. Select the timeframe you want to view from the drop-down menu or select View Range to set a custom date range.

    The list of alarms updates according to your selection.

Working with the Alarms Table

The following sections describe how to work with and understand essential aspects of the Alarms table:

Column Definitions

The Alarms table can display the following column headers:

  • Status: Status of the threat event.
  • Type: Type of alarm.
  • Severity: Level of risk the threat poses (High, Medium, or Low).
  • Time Stamp (UTC): Date and timestamp of when the threat event was detected.
  • Device IP: IP number of the device.
  • Endpoint IP: IP number of the endpoint.
  • Device Name: Name of the device.
  • ICCID: : Identification number of the affected SIM.
  • IMSI: Identification number of the device user.

Note: You can click the ICCID of an alarm to the view the SIM Information window. For more information about the SIM Information window, see SIM Information.

Selecting/Sorting Columns

You can adjust the columns displayed on the Alarms table. To add or remove columns:

  1. Click the gear icon on the upper-right corner of the table.
  2. Check or uncheck the boxes you want to appear in the table.

  3. (Optional) Click the up or down arrow next to each column to sort the alarms.

The table immediately updates according to your selections.

Selecting Alarm/Device Actions

Each listed alarm has action buttons that enable you to quickly respond to an alarm or device.

The following subsections describe how to select device and alarm actions:

Using Device-level Actions

To take action on an affected device:

  1. Locate the alarm.
  2. Click the wrench icon.
  3. Select one of the following actions:
    • Block Device: Blocks all traffic to the device.
    • Suspend Device: Temporarily disables the device SIM.
    • Cancel Device: Permanently disables the device SIM to prevent further potential harmful activity.

    A confirmation window appears for the selected action.

  4. Once you read the confirmation message, click Continue.

Responding to an Alarm

To respond to an alarm:

  1. Locate the alarm.
  2. Click one of the following action icons:
    • Resolve: Updates the alarm status to Resolved.
    • Checkmark: Updates the alarm status to Acknowledged.
    • X-Icon: Updates the alarm status to Dismissed.

    Note: If you select the X icon, you will see the following Dismiss Alarm pop-up window.

  3. (Optional) Populate the fields in the Dismiss Alarm pop-up window and then click Dismiss Now.

An action confirmation appears at the top right of the screen.

Responding to Multiple Alarms

To respond to mulitple alarms at a time:

  1. Select the desired alarms.

    Note: To select all alarms, select the All checkbox.

  2. Select one of the following icons at the top right corner of the table:
    • Resolve: Updates the alarm status to Resolved.
    • Checkmark: Updates the alarm status to Acknowledged.
    • X-Icon: Updates the alarm status to Dismissed.

    An action confirmation window appears at the top right of the screen.

    Note: If you select the X icon, you will see the following Dismiss Alarm pop-up window.

  3. (Optional) Populate the fields in the Dismiss Alarm pop-up window and then click Dismiss Now.

Setting Pagination

The Alarms table displays ten devices on each page by default. To change the number of displayed alarms per page:

  1. Click the Show number at the bottom right corner of the screen.
    Note: The default number of results per page is 10.

  2. Select your desired number of results per page.

The table updates immediately.

Exporting the Table

You can easily export the Alarms table as a.csv or .xlsx file. To export the Alarms table:

  1. Click the Export icon.
  2. Select CSV or XLSV.

    Note: .xlsx downloads are not recommended for files with over 200,000 rows.

When you open .xlsx files in Microsoft Excel, long numbers like device IDs may default to a general format similar to scientific notation. To view the full ID numbers:

  1. Select the range of cells you want to view.
  2. Right-click the selected range.
  3. Click Format > Number format.

You can also open a .csv file by importing it through the Microsoft Excel Data menu. To import your report file to Microsoft Excel:

  1. Open Microsoft Excel and create a blank workbook.
  2. Select Data > From Text or From Text/CSV.
  3. Locate the .csv file in your Downloads or other designated folder.
  4. Right-click the file and select Import.
  5. Follow the subsequent prompts to specify a comma-delimited file.
  6. If you see an option for Data Type Detection, select Do not detect data types.

Viewing the Alarm Description

Each alarm has a Description that displays additional information about the alarm. To view the alarm Description, click the arrow on the left side of the alarm.

View Alarm History

The Alarm History tracks any status changes to an alarm. To view the Alarm history, click History on the Description section. This opens the Alarm History on the right side of the screen. The Alarm History tracks the following details:

  • Which status the threat event was assigned.
  • Name of the person who changed the status.
  • Email address of the person who changed the status.
  • Timestamps of when each status change occurred.

Previous article

Next article
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.