This screen displays the alerts produced by the MOREAL Decision Maker Engine
Decision Maker alerts notifies for internal IPs suspicious activity that occurred during last hour and is constituted
by multiple MOREAL alerts and threat events.
Activity is analysed in regular time periods (time windows). The default time window is set to 1-hour in the current version.
For more information, refer to the Decision Maker technical article.
Sample Decision Maker alerts
A decision maker alert contains:
- A title and a description that provide an overview of the alert
- A timestamp which indicates when the underlying activity occurred
- The organization the monitored entity belongs to
- The device name the monitored entity is connected to
- A color-coded severity indicator based on a score computed from the collected evidence for this alert
Alert details page
The alert details page provides extra information for the generated alert and links to the relevant events and corresponding
Example of a Decision Maker alert
More specifically, the most important information is:
- A color-coded severity indicator based on a score computed from the confidence, the risk level and
the collected evidence specific to this alert
- The organization and (sub-organization) the monitored entity belongs to
- An alert description which reports the involved IP and explains the
reason an alert was raised
- Time window : The length of the time period that the measurements
- Occurred at : The specific time window with the exact starting and ending time that the
measurements were performed. The suspicious behaviour refers to this period.
- Detected at : The exact time when the Decision Maker detected a potential threat.
- First notification : The exact time when MOREAL created this alert for the first time.
- Last notification : The exact time when MOREAL last updated this alert (if there are more than one occurrences of the same event).
- Threat Risk Indicator : A proprietary score by MOREAL indicating the risk level, confidence and
the amount of evidence for raising the alert.
- Criticality : A more user-friendly label of the severity of this alert (low, medium, high, critical)
Finally, the MOREAL alert details page provides links for navigating to views of the raw traffic and
security events (button: “View relevant events”) , links to the IP profile of the involved
entity (button: “View IP Profile”) and also links to relevant alerts (button:”View relevant alerts”).
How to interpret a Decision Maker alert
The alert description can be interpreted as follows:
- [IP: 192.168.66.17] : The first part enclosed in square brackets lists the involved entity (IP: 192.168.66.17)
- The second part provides the reason the alert was raised and could lead to further investigation
through corresponding IP Profile, Relevant Events and Relevant Alerts.
Relevant Alerts Page
Relevant Events Page