Web Tap Documentation
UP - 2. The Management Interface NEXT - 2.2 Alert Details
2.1 Alert Summary
The alert summary page contains a list of all the alerts that have been generated by Web Tap. It also allows you to display different alerts based on their status or group. You can access the alert details from this page by clicking on an alert. You can also make some changes directly to alert from the alert summary page.
2.1.1 Alert Information
The following information about each alert is displayed in the alert summary page:
- Viewed/New – The entire row for the alert will have a white background if the alert is new or a grey background if it has previously been viewed. Normally, Web Tap will mark an alert as viewed when an administrator has accessed its details. The alert will remain in the viewed state until Web Tap detects new suspicious activity for the particular server and client and sets the alert’s status to new. Viewed and new are mutually exclusive and independent of an alert’s pending status and priority.
- Status (Pending, Ignored, Fixed) – If the alert is ignored or has been fixed, a status icon will appear directly to the right of the check box at the beginning of the row. A green check mark (
) means fixed, a red X (
) means ignored, and no status icon means that the alert is pending. These three indicators are mutually exclusive and independent of priority or viewed status.
- Priority (High, Medium, Normal) – If the alert has been flagged as high or medium priority, an icon will appear next to the status icon. A red flag (
) is high priority, yellow (
) is medium priority, and no icon is normal priority. The priority levels are mutually exclusive and independent of viewed or pending status.
- Client – This column specifies the client that made the suspicious web requests. Sorting on this column is possible by clicking on the “Client” table header.
- Server – This column contains the domain that received the suspicious web requests. The alert may have traffic to a number of different servers from the same domain, as is often the case with large web hosts. However, if this column contains an IP address, then it is an alert for an individual server. Sorting on this column is possible by clicking on the “Server” table header.
- Groups – Types – This column lists the groups that the alert belongs to, as well as the alert types. The types indicate why Web Tap marked the HTTP traffic as suspicious. For more information about grouping, see the alert groups section. For more information about types, see the alert types section.
- Time – The column shows the most recent time at which Web Tap detected suspicious activity listed under this alert. Sorting on this column is possible by clicking on the “Time” table header.
2.1.2 Selecting Alerts to Display
On the left of the alert summary page are a number of check boxes and a list of groups for selectively displaying alerts. By default, all alerts that are pending and in the group “Main” will be displayed. If you want to also display alerts that have been marked as ignored or fixed, you may check the corresponding boxes and Web Tap will automatically update the display. If you only want to see new alerts that have not yet been examined, then uncheck the “Viewed” box. Below, you can also filter out what alerts are displayed depending on their priorities. Finally, you can display alerts that belong to different groups by clicking on the corresponding group name. To add a new alert group, click on the “Add New…” link. For more information about groups, see the alert groups section.
2.1.3 Basic Actions
From the alert summary page, the following basic actions are available and will be applied to the selected alerts. The actions will occur when you press a button or select an item from the “Other Actions…” drop-down menu.
- Fixed, Ignore, Mark as Pending – Selecting one of these actions will set the status of the selected alerts accordingly. Note: If you mark an alert as ignored or fixed, Web Tap will change its status to pending if it detects new suspicious activity for the same client and domain. To ignore the alert permanently, use the trust server/domain functionality in the alert details view (see alert details section), or manually add a filter (see filters section).
- Flag (High), Set Priority Medium, Set Priority Normal – These actions modify the priority of the selected alerts.
- Mark as New, Mark as Viewed – These two actions will change the alerts’ viewed status.
- Move to [group], Add to [group] – These two actions will both add the selected alerts to the specified group. The difference is that the Move to [group] action will first remove the alert from all of its current groups, including the default main group if it is a member.
UP - 2. The Management Interface NEXT - 2.2 Alert Details