Configuring detailed incidents generated by agents

Detailed incidents are all the logs that the agent produced in an attack perimeter, including those that do not usually appear in the administration console. For example, even logs that remained local on the agent or that were sent to a syslog server are shown in the detailed Incidents. For further information, refer to the section Analyzing incidents to understand attacks.

You can configure the size of such incidents, the maximum age of their logs and how they are sent to the agent handler.

  1. In an agent group’s Monitoring tab, go to the Detailed incidents section.
  2. Define the Size limit of a detailed context, which is 500 KB by default. This is the estimated size of data going through the network. If network connections are restricted between agents and the agent handler, reduce this size. Conversely, if you added highly verbose sets of audit rules, increase this size to ensure that you retrieve enough useful logs.
  3. Define the Oldest logs. The default value is 10 minutes because most attacks happen quickly, but you can adjust it according to your preferences.
  4. Choose how the Reporting of detailed incident context takes place from the agent to the agent handler. Reporting can be:
    • Immediate: incident logs are sent to the agent handler at the same time as the alert, and can be seen immediately in the administration console.
    • Postponed: incident logs are sent to the agent handler at a Frequency that can be defined, the default value being every hour. If you analyze attacks only once daily, increase this frequency to every two or three hours to avoid network congestion.
    • On demand: incident logs will not be sent to the agent handler automatically. You can download all this data manually when you intend to analyze an attack. For further information, refer to the section Analyzing incidents to understand attacks.