Event Insights

Noise in FIM is a major concern for security teams. Large number of events directly impact the event analysis process, making it difficult for the security teams to find the signal that they look for amidst all the noise.

Quite often, it is observed that only a handful of rules in FIM Profile cause the noise. Having precise visibility into such rules makes the fine-tuning process extremely efficient.

The Event Insights tab in Qualys FIM enables you to have a thorough insight into the change events on your FIM console. This page contains the following widgets to help you with a single-glance perception about the top event generators:

- Top 5 profiles

- Top 5 processes

- Top 5 rules

- Top 5 users

These widgets display relevant data generated within the time-frame you have selected from the time range selector.

Image of the Event Insights page

Each widget allows you to click and drill-down to view the rules and user actions that have contributed to the highest event generation.

The top left-hand corner of the page displays the number of rules that have contributed to the highest count of events.

You also have access to a list of the FIM profiles that have generated the highest number of events; thereby, enabling you to analyze your rules and pin point which rule in which profile has generated the maximum number of events. The event grid includes event data such as the top event-generating profiles, followed by corresponding rule names, noise level indicators, precise event count and distribution of event count against each 'event action'. The noise level is shown as 'Minimal', 'Moderate' and 'Critical', where, 'Critical' indicates that the corresponding rule is generating more than 90% of the events.

Important: A widget displays all the rules that contribute to the total event count, including the rules that may have been subsequently deleted by a user. However, if you click on the widget to drill down and see the rule details, the deleted rule is not seen listed under the Rule Name column.  

Image of the event insight details

Once you have the precise understanding of the FIM profile and the rules generating noise or false positives, you can select the profile and click Quick Actions > Edit Profile to fine tune the specific rule by adding relevant inclusion/exclusion filters. Fine-tuning the rule helps you in reducing the noise and making sure that only the events of interest reach the FIM console.

Related Topics

Qualys Query Library



Configuration of correlation rules to auto create incidents

Configuration of rule-based alerts for events and incidents