Event Classification

From MetaFlows User Manual
Jump to: navigation, search

Within the Real-Time and the Historical report screens, users can classify events to take a variety of actions or change event views. The Classify menu is accessed by right clicking a row and selecting "Classify" or by clicking on the icon shown below.

Classicon.png

Classifications List

Classifications List
Figure 1: Classifications List

The Classifications List can be accessed by clicking on Rules -> Classifications from the top menu. The Classification List displays all of the classifications for the selected domain, organized by the Classification Action. The Options Strip at the top of the list contains the following options:

"Upload Classifications" Button
Click this button to open the classification uploader. Classifications must be in JSON format and contain all required information for the classification. This is useful if the user needs to quickly copy classifications in bulk from one domain to another.
"New Classifications" Button
Click this button to open the classification editor to create a new classification.
Domain List Dropdown
Use this menu to switch between the classifications in the domains.
Classification Action Buttons
Click these buttons to view Classifications with the same Classification Action.
Search Field
Type a value into the Search field to find classifications that match your query. The search will match against values in the classification name, category, addresses, and events fields.

The Classifications List is below the Options Strip. This list displays classifications for the selected domain and action. Each row shows all of the information from each matching classification. When the checkbox to the left of any row is checked, a panel will appear with buttons to delete or download the selected classifications. Multiple classifications can be selected at one time by clicking on the checkbox for a classification, holding the Shift key on the keyboard, and then clicking the checkbox for any other classification in the list.

Classifications Options Panel
Figure 2: The Classification Options panel appears when one or more classifications are checked.

When classifications are deleted, the classifications are moved to the "Trashed" action. These classifications are never used anywhere else, and are automatically deleted after thirty days. A classification can be restored by checking the checkbox next to the classification and clicking the "Restore Selected" button from the options panel that appears.

Creating a Classification

There are two ways to create a classification:

  1. Right-click on any record in Historical or Real-Time to open the context menu. Click the "Highlight" option, or
  2. From the Classifications page, click the "+" button.

When creating a new classification from Real-Time or Historical records, the "Add Classification" page will auto-populate fields based on the selected event.

Create Event Classification
Figure 3: Create Event Classification

Classification Name

This defines the name of the classification. This is required.

Classification Domain

This is the domain in which the classification will be created. The classification will be applicable to data from all sensors in the selected domain. This is required.

Classification Category

This indicates a category name. The category name will appear as a menu in the browser if the classification action is "Highlight". This is required.

Classification Action

When an event matches the classification, this is the action that will be performed. There are seven action types:

Highlight
This highlights the matching records in the Real-Time, Historical, and Reports with the selected color. These classifications can be selected from the menu strip at the top of the Real-Time and Historical pages to filter records for events that matched the classification.
Block
This triggers the Soft IPS for matching records, causing connections matching the classification to be blocked.
E-mail
This E-mails matching records as a PDF report to the specified address every ten minutes, or as frequently as possible, if the Real-Time interface is kept open. Separate multiple e-mail addresses by using a semi-colon. NOTE: The classification e-mails will be sent immediately if the Real-Time page is open, or within ten minutes if it is not. If the user wants to receive e-mail as soon as an event matches the classification, enable Real Time E-mail Alerts. See Real Time E-mail Alerts for more.
Ignore
This ignores events that match the classification and this causes the sensor to discard those events. These events will not be displayed in either the Real-Time or Historical interfaces.
Delete
This deletes matching records from the browser to free up memory. There are a number of default Delete classifications that reduce browser memory utilization. A user can add their Delete classifications to further optimize this function according to the needs of a specific environment. This action does not apply to records in the Historical page.
Rank
This increases the priority/rank of records matching the Rank classification.
Disabled
This allows a user to disable a classification without deleting it.

Comparison Types

When a classification is created, the user defines values to match in the metadata for events (the available fields are listed below). The possible comparison types are listed below; which comparison types are available depends on the field.

Any
This is the default comparison type. Any value is matched / field is ignored.
<, <=, >, >=, ==, !=
Numeric comparisons operations..
Regex
Compare the field data against the provided regular expression. All regexes are case-insensitive.
Not Empty
The field has any non-empty value.
Empty
The field has no value.

Detail Fields

Events

IDS Alerts
Match against the triggered IDS events in the record, if any.
Services
Match against services the event was using, if any.
Log Messages
Match against log messages in the record, if any.

Addresses and Ports

Server/Client IP Addresses
Match IPv4 or IPv6 addresses in server or client IP address fields. Example: 192.168.1.0/24
Server/Client Ports
Match against server or client port fields. All values must be numeric. You can provide multiple ports, separated by commas. You can also provide a range of ports. Example: 80,443,1024-2048

Originating Sensor

Limit the classification to records where the Sensor field matches the expression.

Metrics

Age (in seconds)
Match records that are greater or lesser than the specified age (in seconds).
Rank
Match records that have a specific rank/priority value.
Bytes
Match records that are larger or smaller than a specific size in bytes.
Packets
Match records that have more or less than the specified number of packets.

Viewing Classes

A demonstration of a classification based on server ports 80, 53 and greater than 1024 are displayed in Figure 4.

Figure 4: Event Classification Example
Figure 4: Event Classification Example


Event Classification
Selecting the Views icon to the left will display the classification list shown in Figure 5.


Figure 5: Event Classification Views
Figure 5: Event Classification Views

Selecting the individual class names will create a frame that contains the records strictly matching that class. Selecting "All" will bring you back the colorized summary. Selecting the "Edit" icon will allow you to edit your classification. If the classification is not new, by clicking on the "Save" icon the original classification is modified. Selecting the "Save As" icon will add a new classification. It is therefore possible to edit existing classifications, as well as derive new ones, from those already existing without starting from scratch every time.

Class Access and Legends

Figure 6: Event Classification Categories
Figure 6: Event Classification Categories
Once different classifications with an action of "Classify" are defined, they can be accessed via a drop down menu below the main menu. Each classification category is displayed. Hovering over each category displays the available classes within that category with a color corresponding to the color that the user selects. (A category called "protos" and three classifications within that category are shown in Figure 6). Selecting an individual class will change the current view to show only those records that match the classification. Selecting "All" will switch back the display to showing all classes.


Previous Chapter Next Chapter