Home
Guardian
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Alerts
Alerts
The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
Actions menu
The Actions menu gives you access to all the actions that you can do for the related alert.

Guardian
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
  - Alerts
    - Alerts
      The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
      - Standard mode
        You can view alerts in standard mode to give you an overview of the latest anomalies.
      - Expert mode
        You can view alerts in expert mode to give you a detailed view of the alerts in the system. This lets you filter, sort, and analyze the information in detail.
      - View alerts in standard mode
        You can view alerts in standard mode to give you an overview of the latest anomalies.
      - View alerts in expert mode
        You can view alerts in expert mode to give you a detailed view of the alerts in the system. This lets you filter, sort, and analyze the information in detail.
      - Closing alerts
        When you close an alert, or incident, a dialog lets you select a reason, and specify the learning process.
      - Actions menu
        The Actions menu gives you access to all the actions that you can do for the related alert.
        Open the Actions menu in standard mode
        You can open the Actions menu to give you access to additional operations. When you are in standard mode, there are two different options available to open the menu.
        Open the Actions menu in expert mode
        You can open the Actions menu to give you access to additional operations.
        Configure an alert
        You can use the Configure alert option to create a new alert rule for future events that are similar to the current one.
        Acknowledge an alert
        Once an alert or incident shows, you can mark it as acknowledged. You can also change the status back to unacknowledged again.
        Close an alert
        Once an alert or incident shows, you can mark it as closed, and choose the type of learning operation to perform.
        Download a trace
        If a trace is available, you can choose to download it. The trace contains the packet that triggered the alert, along with an extract of the same session before and after that packet. Traces might be unavailable if the appliance is under stress.
        Download a malicious file
        Once a sensor has detected a malicious file, it is possible to download it for analysis.
        Edit a note for an alert
        Once an alert or incident shows, you can write a note for it, or edit an existing one.
        View a diff from an alert
        This automatic feature will use the previous and subsequent snapshots according to the time of the alert.
        Navigate from an alert
        Alerts and incidents have related nodes, links, vulnerabilities, or sessions. The actions menu lets you navigate to these links.
      - Edit a playbook associated with an alert
        A playbook associated with an alert can be modified. A change you make on the playbook only affects the playbook related to that specific alert.
  - Assets
  - Queries
  - Smart Polling
  - Arc
  - Network
  - Process
  - Reports
  - Assertions
  - Time machine
  - Vulnerabilities
  - Administration
  - Personal settings
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Actions menu

The Actions menu gives you access to all the actions that you can do for the related alert.

Actions menu — Figure 1. Actions menu

Note: The options available in the Actions menu can change. The options will depend on:

The type of alert
The state of the sensor
Whether the sensor is a Guardian or a Central Management Console (CMC)

Configure alert

You can use the Configure alert option to create a new alert rule for future events that are similar to the current one.

Ack/Unack

Once an alert or incident shows, you can mark it as acknowledged. You can also change the status back to unacknowledged again.

Close

Once an alert or incident has been addressed, you can mark it as closed, and choose the type of learning operation to perform.

Download trace

If a trace is available, you can choose to download it. The trace contains the packet that triggered the alert, along with an extract of the same session before and after that packet. Traces might be unavailable if the appliance is under stress. For detections that require multiple packets, such as Multiple login failures, the trace might not contain enough traffic to reproduce the alert. Incidents do not have an associated trace.

Download file causing the alert

Once a sensor has detected a malicious file, it is possible to download it for analysis. After you select this option, a dialog shows to warn the user that the file has been identified as malicious, or unwanted. To download the file, the user must acknowledge that they will do so at their own risk. In a CMC, this option is only available after the applicable file has been requested, (see below).

Edit note

Once an alert or incident shows, you can write a note for it, or edit an existing one.

Time machine diff

It is possible to open a time machine diff which corresponds to the time of the alert, or incident.

Navigate

Alerts and incidents have related nodes, links, vulnerabilities, or sessions. The Actions menu lets you navigate to these links.