Dashboard section

The Dashboard section (1) shows an overview of the incidents on your infrastructure.

The data can be filtered per tenant (2) and per dates (3):

Incidents section

The Incidents section shows the details of the incidents on your infrastructure, telling you if an incident has a low, medium, high, or critical impact:

As a default, the incidents are shown per severity (low, medium, high, critical) but you can create different filters by clicking on +Add filter:

After an incident has been verified, you can decide whether to put it on hold, closed, or leave it open by changing its status:

To visualize all the details of an incident, you can click on the pencil icon:

Once you've clicked on the incident details, you can view information across three tabs: Overview, Geolocation, and Raw Event.

In the Overview tab, you'll find details such as the first and last time the incident was observed (as incidents are aggregated), the number of occurrences, the device involved, source IP, target host, and port, depending on the incident type

In the Geolocalization tab you'll find where the attacker's IP is located.

The Raw event tab shows all the details associated with the incident. 

Devices section

In this section, you can see all the devices where the agent is installed.

You could filter the Devices list by Hostname, IP, Operating System and Status.

In the Devices section, when you click on the pencil icon for a device, you can access the Asset Inventory, Custom Logs and Incidents sections.

Device - Asset Inventory

Here, you can view details about the device such as:

• Architecture
• Resources
• Network interfaces
• IP addresses
• Hotfixes/patches
• Installed apps and libraries
• Established connections
• Open protocols listening
• Running processes

If the Asset Inventory section is not visible, or if you encounter errors on this board, it may indicate that some agent components are not installed correctly. In this case, please refer to our guide or open a ticket on the Zendesk portal.

Device - Custom Logs

You can see all the custom logs monitored by the agent by default here. If you want, you can add custom logs, such as Zimbra (for instructions, follow this guide: How to Add Zimbra Logs) or IIS logs (for instructions, refer to this guide: IIS Logs) or NGNIX logs (for instructions, refer to this guide: NGINX Logs)

Add new Device

To install the agent on a new device, click on + Device, then follow the instructions on the UI to install the agent on your machine.

Please note that in step 1, you need to select the tenant, and in step 2, choose the operating system of your machine (currently, Windows and Linux are supported). Devices can be either servers or clients (PCs).

Check Agent is installed on the device

Follow this guide

Uninstall a Device

To uninstall a device, you can use the ACSIA SOS UI by clicking the "Uninstall" option in the three-dot menu next to the device.

If the uninstallation is unsuccessful, you can force the removal of the agent by navigating to Preferences > Lost Agents.

If the device does not appear in the list, and you need to forcibly uninstall the agent directly from the machine, you can follow this guide: [Guide Link].

Global Settings

Here you can customize the name, the logo, and the company information of the app (only Staff Users can make these changes). 

Global Audit Logs

Here you can see a detailed log of all accesses and management operations. Staff Users can filter log entries based on specific tenants and users.

By clicking on the log, you can see further details about the entry. 

Detection Rules

This section allows users to enable or disable Sigma rules from the UI, providing a more flexible and customized approach to rule management within the system. By clicking on the pencil icon, users can also view the rule's detail.

Network Policies

In this section, Whitelist/Blacklist of IPs and networks can be managed.

• Rules can be defined in ACSIA: the system can automatically whitelist/blacklist IPs or networks based on rule triggers.

• Network security administrators can manually whitelist/blacklist IPs or networks from the incident view.

• Network security administrators can manually whitelist/blacklist specific IPs, networks, or IP ranges with details.

• Notification actions are configured to ignore the IPs or networks in the whitelist or blacklist.

How to add a new policy: 

• • Click on +Policy
  • Write the IP Address and select the action (Block/Allow)
  • Select if you want to apply it on all the devices or only on selected ones
  • Save

Notification rules section

This section allows you to create custom notifications based on incident severity. Currently, we support notifications via email, Teams, and Slack.

To create a new notification rule, click on Notifications rules > +Rule and choose the type of notification you want:

Based on what you've chosen, you'll need to insert the emails of the recipients (separated by a comma), or a webhook in case of Teams or Slack notifications.

Slack Notification

Name: The name you want to use to identify the notification rule.

Type: Slack

Severity: Choose the type of incidents that will trigger a notification in Slack.

Webhook URL: Follow the official Slack documentation to create the webhook URL for the channel: Slack Incoming Webhooks.

Description: A brief description.

Teams Notification

Name: The name you want to use to identify the notification rule.

Type: Teams

Severity: Choose the type of incidents that will trigger a notification in Teams.

Webhook URL: Follow the official Teams documentation to create the webhook URL for the channel: Add Incoming Webhook in Teams.

Description: A brief description.

Users section

In this section, you can add users and have two possibilities:

1. You can add a new user by filling in the required fields
2. You can import existing users. By clicking on import user, the list of existing users will show up.

When the user is succesfully created, the role assigned by default is: Self User:

You have to to specify a role for the new user (see also the roles section) by clicking on the pencil icon. Then, click the edit button in the Roles section, add the role (e.g., Admin), and click the back icon.

Roles section

You can create completely custom roles in the roles section by clicking on +Role.

Give a name to the new role and decide the privileges it will have:

Audit Logs

Here you can see a detailed log of all accesses and management operations.

By clicking on the log, you can find further details about the entry.

Preferences section

In this section, you can manage your preferences.

• Automatic Malicious IP Blocking Configuration
  Customize Automatic Malicious IP Blocking by specifying which attacking IPs trigger blocks and choose whether to apply them universally or selectively to devices under attack, providing granular control over your cybersecurity measures.
• Automatic Malicious File Blocking Configuration
  Enable Automatic Malicious File Blocking to restrict access to potentially dangerous files.
• Device Isolation Whitelist Configuration
  The Device Isolation mode is configured to restrict the connectivity of devices under attack, rendering them inaccessible to and from all hosts, except those specified in the whitelist. Please confirm the list of hosts that can reach compromised devices before enabling Device Isolation mode.
• Allowed IPs
  Customize the list of hosts allowed to communicate with isolated devices. Define specific hosts that maintain connectivity privileges, providing flexibility and control over communication during security incidents

Logout, Theme preferences and User settings

In this section you can log out from the platform, select the Light/Dark mode for the dashboard and will find information about your account.

Logout:

Light/Dark mode:

User Preferences:

You will find all the tenants associated with your account, and you can enable your user to access the OpenSearch Dashboard (or Compliance Dashboard) in the 'Dashboard' section. You can follow this guide (link) to enable your user to view the Wazu Dashboard.