Home
Guardian
Administrator Guide
Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
Administration
Settings
Security control panel
The Security control panel page shows an overview of the current status of the learning process and lets you configure the features that manage the: learning, security profile, zones, alerts tuning, and alert closing options.
Edit
The Edit page lets you configure the security features through simple steps.
Alert tuning
The Alert tuning page lets you customize the alert behavior. Specifically, you can impose conditions on one, or many, fields to match criteria. This feature can be selectively enabled for specific user groups.
Alert configuration settings

Guardian
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
  - Administration
    - Administration page
      The administration page lets a user with administrator privileges configure settings and do other tasks.
    - Settings
      - Security control panel
        The Security control panel page shows an overview of the current status of the learning process and lets you configure the features that manage the: learning, security profile, zones, alerts tuning, and alert closing options.
        Overview
        The Overview page shows an overview of the learning status, security profile chosen, zone configurations, and alert tuning rules configured.
        Edit
        The Edit page lets you configure the security features through simple steps.
        Learning
        The Learning page lets you manage how the typical behavior and components of your environment are learned. The software needs to learn the normal processes, patterns and communication of your environment in order for it to be able to detect anomalies.
        Security profile
        The Security profile page lets you change the visibility of alerts based on their type.
        Zone configurations
        You can select this to go to the Zone configurations page. You can customize all settings related to the learning engine and the security profile on a per-zone basis.
        Alert tuning
        The Alert tuning page lets you customize the alert behavior. Specifically, you can impose conditions on one, or many, fields to match criteria. This feature can be selectively enabled for specific user groups.
        Alert configuration settings
        Alert closing options
        The Alert closing options page lets you customize the closure details of alerts and incidents. When alerts and incidents are closed, the user must choose the reason why the closure happens. There are two default reasons: actual incident and baseline change.
        Manage network learning
        The Manage network learning page lets you review and manage the Network Learning status in detail.
      - Features control panel
        The Features control panel page shows an overview of the current status of system features configuration and lets you fine tune specific values.
      - Users management
        The Users management page shows all the pages that you need to let you manage authentication and authorization policies for users and groups.
      - CLI
        The CLI page lets you change configuration parameters and perform troubleshooting activities.
      - Dashboards
        The Dashboards page lets you create and configure widget-based dashboards that provide information about your network. The dashboards created here will show on the Guardian home page, and give an overview of the monitored environment.
      - Threat Intelligence
        The Threat Intelligence page lets you manage packet rules, YARA rules, Sigma rules, structured threat information expression (STIX) indicators and vulnerabilities to provide detailed threat information.
      - Data model
        The Data model page lets you create a custom field to the Nodes (All-In-One CMC only) and Assets tables. A custom field lets you add information that might be relevant to your organization, and cannot be extracted from network traffic.
      - Data integration
      - Firewall integration
        The Firewall integrations page shows all the firewall integrations and lets you add new ones.
      - Credentials manager
        The Credentials manager is a tool that lets you centralize the management of monitored endpoints to make it easier to create, delete, or update the credentials that are needed to access those endpoints.
      - Zone configurations
        The Zone configurations page shows all the zone configurations in your environment and lets you add new zone configurations and edit them.
      - Synchronization settings
        The Synchronization settings page lets you customize the parameters related to Vantage or Central Management Console (CMC).
      - Alert playbooks
    - System
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Alert configuration settings

Source IP	Enter the internet protocol (IP) address of the source that you want to filter.
Destination IP	Enter the IP address of the destination that you want to filter.
Source MAC	Enter the media access control (MAC) address of the source that you want to filter.
Destination MAC	Enter the MAC address of the destination that you want to filter.
Match IPs and MACs in both directions	Select this if you want to select all the communications between two nodes (IP or MAC) independently of their role in the communication (source or destination).
Source Zone	Enter the zone of the source that you want to filter.
Destination Zone	Specify the zone of the destination that you want to filter.
Type ID	The type ID of the alert, this field is precompiled if you create a new modifier from an alert in the Alerts page.
Trigger ID	Unique identifier corresponding to the specific condition that has triggered the alert.
Protocol	Enter the protocol that you want to filter.
Note	Enter free-form text that describes details of the alert rule.
Execute action	Select an action to perform on the matched alerts: Mute: Switch ON/OFF: to mute or not the alert Mute until: Specify a date until which the alert will be muted Change Security Profile visibility: Set to ON to force the visibility of the selected alert type for any selected profile, or to OFF to hide it for any selected profile. Useful for extending or reducing the default provided security profiles as needed Change risk: Set a custom risk value for the alert Change trace filter: Define a custom trace filter to apply to this alert Assign playbook: Define a playbook to be attached to the matching alerts. The playbook to be attached has to be selected from the list of available playbook templates
Priority	Set a custom priority; when multiple rules trigger on an alert, the rule with the highest priority applies. Normal is the default value if no selection is made.