Good afternoon,
Has there been an update on the Portal Menu - Security Sub-Systems?
I noticed that ‘Security Sub-Systems’ has been renamed to ‘Security’ and some subitems are added:
It looks like some logs are merged into a submenu.
Hopefully this is the beginning of a better and more intuitive way to find threats.
Am I missing some more improvements on this update?
Regards.
@ailan
You can find all the list of updates in here:
https://forum.itarian.com/forum/products/preview-section/75752-release-candidate-of-itarian-platform-for-major-release-of-2022-q1
Hi @vadym,
Thanks.
Yes, in the post it was stated as:
“The security Sub-System section under the ITarian Platform has been entirely renamed with a more comprehensive menu structure.”
But I can’t t find any info if there are improvements or changes on the contents per submenu or log.
Were there any improvements?
Regards
Hello @ailan,
The Security Sub-System section under the platform has been entirely renamed with a more comprehensive menu structure.
Here are the changes:
Hi @Elif_Bengi,
Thanks for the explanation,
This is clear.
I was hoping that the logs were already improved for HIPS logging:
Regards
Hello @ailan,
This is a separate feature request and it is on our mid-term roadmap. We’ll share it within the next release candidate posts when it is ready to be released.
Kind regards,
Elif
Hi @Elif_Bengi ,
It’s a pity that the logs are still not reliable:
I got a complaint about a user that his application was contained.
I looked in the ‘Contained Threats’ to look for the threat but couldn’t find the device.
In this log I only find 2 threats for today:
When digging in the ‘Security Events’, I find 99!!! containments only for today:
Still it’s very uneasy to find what you’re looking for.
Shouldn’t the containment entries also show up under the submenu ‘Contained Threats’?
When can this be fixed?
Regards.
Hello @ailan,
Firstly, I couldn’t see your first attachment. But let me explain the case as I understand:
On the “Event View” of Security Events with “Containment” component filter, you can see all containment event records. It means there can be more than one record in this list for the same file.
On the “Contained Threats”, this list shows containment logs with “Containment Policy” as “Contained by” filter by default. This list is file-based, so there is one record for the same file.
For the alliance of these two lists, could you please check on your end by filtering “Contained by” as “All” filter on “Contained Threats” and at the same time check the “File View” tab of “Security Events”?
Kind regards,
Elif
Hi @Elif_Bengi ,
Thanks for the explanation.
I think the upload of the image went wrong and cache is messed up because I can see both images on my machine but not on another. Sorry.
As I was replying to your question, I retyped my whole response because it’s getting more confusing for me.
I understand what you say. Clear.
Point is that a client called me about a newly implemented program that was contained.
They installed it a few days back when he called me on may 3th.
If I look at the ‘Containment’ entries for that day in the Contained threats, I see only 5 entries. (just like you requested. Filtered by date and selected ‘All’ at ‘Contained by’:
These are entries I can relate to max 3 different devices:
That is the first thing I notice:
By Default, when selecting ‘Contained threats’, the report shows only the entries contained by Policy like you mentioned:
Why not all the contained entries? Now you only see a subset of all the entries if you don’t know there’s a filter.
But the second is that the affected entry wasn’t listed that moment the user called. I couldn’t find the entry regarding the device.
Now, 6 days later, when I check the logs again, I do see the entry. It appeared nearly 5 hours later that day after posting this post and checking the logs.
It takes sometime too much time between detection and logging before you can take actions:
This is just an example why I asked for email notifications with direct action buttons so you can react faster and don’t have to search through all the logs with all the delays.
Hello @ailan,
We’ve taken your request into our plan about the functionality of the “Contained Threats” page to provide all containment logs. We also aim to improve our email template in our Q2 release.
For your logging issue, the portal adjusts the time with respect to the portal timezone. So, this issue may happen if the timezone is not correctly set on the endpoint. Team will create a support ticket to check this and inform you.
Kind regards,
Elif
Hi @Elif_Bengi ,
Thanks for replying.
No, It’s not the adjustments regarding the timezone or the different in timestamps.
It was about the delay before the entry appeared in the log. I did check several times at that day and couldn’t find the entry.
Now I see it did take nearly 5 hours before appearing.
So no support ticket has to be created. I just wanted to point out how it’s working in real life and that there’s room for some minor improvements that can solve these issues.
Hope to see the improved emaitemplate very soon.
Hi @libretech,
I have everything on default and didn’t change any logging settings.
For default settings, it shouldn’t depend on your personal settings for a threat to pop up so you can react on it in a reasonable timeframe.
Especially for a security platform.
@ailan when it comes to cybersecurity the more logs of good data the better IMO, I turn everything on.
I agree.
But out of the box, the default settings should be sufficient so that you can search, find and act on a threat within minutes.
You don’t want an outbreak because the entry shows up a few hours later after an incident.
