Home
Guardian
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Alerts
Alerts
The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
Closing alerts
When you close an alert, or incident, a dialog lets you select a reason, and specify the learning process.

Guardian
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
  - Alerts
    - Alerts
      The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
      - Standard mode
        You can view alerts in standard mode to give you an overview of the latest anomalies.
      - Expert mode
        You can view alerts in expert mode to give you a detailed view of the alerts in the system. This lets you filter, sort, and analyze the information in detail.
      - View alerts in standard mode
        You can view alerts in standard mode to give you an overview of the latest anomalies.
      - View alerts in expert mode
        You can view alerts in expert mode to give you a detailed view of the alerts in the system. This lets you filter, sort, and analyze the information in detail.
      - Closing alerts
        When you close an alert, or incident, a dialog lets you select a reason, and specify the learning process.
      - Actions menu
        The Actions menu gives you access to all the actions that you can do for the related alert.
      - Edit a playbook associated with an alert
        A playbook associated with an alert can be modified. A change you make on the playbook only affects the playbook related to that specific alert.
  - Assets
  - Queries
  - Smart Polling
  - Arc
  - Network
  - Process
  - Reports
  - Assertions
  - Time machine
  - Vulnerabilities
  - Administration
  - Personal settings
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Closing alerts

When you close an alert, or incident, a dialog lets you select a reason, and specify the learning process.

Alerts closing dialog — Figure 1. Alerts closing dialog

The Reason for closing dropdown has these options:

This is a change: If the cause of the alert is an intended change to the network, such as:
- A new computer being attached
- New communication between two nodes that were not previously communicating
Guardian can learn the change that has been detected as part of the environment baseline. When you close an alert in this way, the intrusion detection system (IDS) is instructed to learn the related objects. For example, when a VI:NEW-NODE alert is closed as a change, Guardian registers that the corresponding node is part of the environment and will not raise subsequent VI:NEW-NODE alerts about the same node.
This is a change: If the cause of the alert is an intended change to the network, such as a new computer being attached, or a new communication between two nodes that were not talking before, the change detected by Guardian can be learned as part of the environment baseline. When closing an alert in this way, the IDS is instructed to learn the corresponding objects. For example, when a VI:NEW-NODE alert is closed as a change, Guardian registers that the corresponding node is part of the environment and will not raise subsequent VI:NEW-NODE alerts about the same node.
This is an incident: If the cause of the alert is a configuration error, an attack, a malfunctioning device, or other security incident, the change is not learned as part of the environment baseline. When closing an alert in this way, the IDS is instructed to delete the corresponding objects. For example, a new node entering the network for the first time causes a VI:NEW-NODE alert. If an alert closes as an incident, reference to the new node is deleted. The VI:NEW-NODE alert is raised again in subsequent communication involving the same node.
Custom reason: This lets you write a custom reason for closing an alert. You can enter a text string as the closing reason, with a request to apply one of the two described behaviors.

Closing alert for custom reason with comment — Figure 2. Closing alert for custom reason with comment

You can add a comment so that it shows in the alert audit log.

Audit alert operations — Figure 3. Audit alert operations