Docs
User Guide
Threat Detection

Threat Detection

The Threat Detection module is divided into two key components: Alerts and Rules, providing comprehensive visibility and control over potential threats in your industrial environment.

Alerts

The Alerts view provides an overview of detected threats, helping you quickly identify patterns and prioritize responses:

  • Visual Overview: A timeline diagram groups alerts by day, while a donut chart highlights the rules that generated the most occurrences. These visual tools allow you to assess the scale and nature of potential threats at a glance.

  • Detailed Alert List: Each alert is listed with a summary, and clicking on an alert reveals additional data, including:

    • Public IP intelligence, such as the originating country and associated organization.
    • Detailed packet capture information for in-depth analysis.
    • Diagnostic information, in cases where alerts pertain to device health or operational issues.

  • Investigation and Response: Alerts are linked to the associated resource and rule, allowing for swift investigation and action. Clicking the resource or rule opens their respective views for further details and context.

Snooze Alerts

The “Snooze Alerts” button provides a simple way to temporarily mute alerts for 30 minutes, helping to reduce noise during planned infrastructure changes.

  • Use this button when performing activities like configuration updates or maintenance, where you anticipate alerts but want to avoid unnecessary interruptions from false positives.
  • While alerts are muted during the snooze period, they will still be logged for future reference, ensuring you maintain visibility into your system’s security events.

By reducing alert noise during planned changes, this feature allows you to focus on your tasks without compromising the ability to review any potential issues later. You can manually reactivate alerts at any time if needed.

Rules

The Rules section lists all the detection rules that underpin the alerting system and provides customization options.

  • Rule Management: Each rule can be enabled or disabled as needed, providing flexibility in tailoring the detection system to your specific requirements.

  • Parameterization for Precision: Some rules include customizable parameters, such as allowlists, to maintain accuracy and reduce noise in alerting. These parameters enable the system to account for legitimate behavior while still identifying anomalous activities.

  • Mitre ATT&CK Mapping: Rules are mapped to the Mitre ATT&CK framework, helping you understand the tactics and techniques the rule addresses.

  • Detailed Descriptions: Each rule includes a concise description of the detection mechanism and its relevance to security, enabling informed decision-making and system customization.

Vulnerability Management