Working with RiskVision Incidents

52010 | Incidents | TRITON RiskVision | v2.0 | 24-Sep-2015

When an HTTP or SMTP transaction analyzed by Websense TRITON RiskVision is found to contain malicious, suspicious, data loss, or data theft activity, an incident is recorded. The incident record contains detailed information about the transaction that occurred and the analysis that was performed.

Use the Incidents page in the RiskVision Local Manager to review and investigate incidents in the Transaction Viewer.

By default, the Transaction Viewer shows:

All incident records in the database

All threat levels

Monitored traffic and incidents from manually submitted pcap files

Columns most useful to investigating HTTP transactions.

You can customize the Transaction Viewer to highlight the details you find most valuable for investigating and remediating security events.

Use the check boxes near the top of the page to limit the records shown.

Specify the Time period to display. The default value reflects the time span between the oldest incident in the database (by incident time) and the current day.

When you click the field to change the time period, a calendar tool is displayed. Mark the Specify start and end time check box below the calendar tool to further narrow the period displayed.

Select one or more threat levels to display (malicious, suspicious, no threat detected, and no analysis available).

Indicate whether you want to show Manual captures only.

Specify whether or not to Show hidden incidents. Incidents created based on cloud app data that have no other threat or data loss characteristics are hidden by default.

Enter a string (like a threat name, user name, or IP address) in the Filter field to show only incidents that contain that string.

Group the data in the table by one or more fields (for example, source IP and threat name, and shown below). To do this, click on a column header (like User Name) and drag it straight up into the sorting row above the table. Repeat for each additional field that you'd like to use to group the data.

The result looks like this, with the "group by" fields appearing at the top of the table, and the data in the table grouped accordingly:

To stop using a particular field to group data, click the "x" next to the field name in the "group by" row.

Change the columns shown in the table, or reorder the columns:

Reorder column headers by dragging them to a new position in the header row.

Use the View drop-down list to select a predefined set of columns to show in the table. The default view emphasizes threat and data loss information for HTTP transactions.

Use the Show/Hide Columns drop-down list to customize which columns appear in the table.

See RiskVision Transaction Viewer table columns for more information about the columns that can be displayed in the table.

More information may be available about individual incidents than can be displayed in the Transaction Viewer table. To see all available details about an incident, switch the View details toggle to ON, then select a row in the table.

This opens an additional panel at the bottom of the table. See Understanding RiskVision incident details for more information about the incident details.