Technical Library
|
Support
Working with RiskVision Incidents
Working with RiskVision Incidents
Incidents | TRITON RiskVision | v2.1 | 02-Jun-2016
When an HTTP or SMTP transaction analyzed by TRITON RiskVision is found to contain malicious, suspicious, data loss, or data theft activity, an
incident
is recorded. The incident record includes information about the transaction, and about why analysis flagged it as an incident.
Use the
Incidents
page in the RiskVision Local Manager to review and investigate incidents in the Transaction Viewer.
By default, the Transaction Viewer shows:
All incident records in the database
All threat levels
Monitored traffic and incidents from manually submitted pcap files
Columns most useful to investigating HTTP-based incidents
For information about all of the ways you can customize the Transaction Viewer, see
Customizing the Transaction Viewer
.
Incident details
More information may be available about individual incidents than can be displayed in the Transaction Viewer table. To see all available details about an incident, switch the
View details
toggle to
ON
, then select a row in the table.
This opens an additional panel at the bottom of the table. See
Understanding RiskVision incident details
for more information about the details that may be shown.
Advanced file analysis
If a file is sent for external file analysis, the results of the analysis may include a link to a report. When this occurs, the value in the Threat Level field (Malicious, Suspicious, or No Threat Detected) is underlined, and becomes a link to the report. Click the Threat Level value to open the report in a new browser window.
For Threat Protection Appliance reports, you are prompted to log in to the Controller, then taken to the report page.
File Sandboxing report sample
Threat Protection Appliance report sample
Working with RiskVision Incidents
Copyright 2016 Forcepoint LLC. All rights reserved.