Configuring Risk Object

Detection > Risk Object

On the risk object page, you can:

Click Disable/Enable Risk Object to disable/enble the risk object function.
Click Configure Risk Object to configure detected objects.
Click Update Signature Database to configure the database update settings on the Upgrade Management page.
Move the sensitivity slider to adjust the sensitivity level. For the detected objects without high and low thresholds specified, the smaller the sensitivity level is, the harder for the system to detect the abnormalities (the default threshold values vary according to the changes of the sensitivity level), namely, only when the offset value between the actual value and the baseline is rather big, the system will send the anomaly alert. The default sensitivity level is 5. A small sensitivity level will make the system fail to detect all the abnormalities; a big sensitivity level will lead false alarms. Thus, to get a proper sensitivity level, follow this way: in a stable network, the sensitivity level can be set as a high value, but in a complex network with multiple types of traffic and services, it is better to have a low sensitivity level.
Viewing Risk Object Summary

Configure Detected Objects

To configure a detected object, on the risk object page, click Risk Object Configuration and configure the related options on the Risk Object Configuration dialog. Descriptions of the options on the dialog are listed in the table below:

Option	Description
Search Conditions
Name	Search by the object name.
Type	Search by the object type.
Virtual Router	Search by the virtual router name.
IP	Search by the IP address.
Search	Click to search by the specified conditions. The search result will be shown in the table below.
Reset	Click the clear all the search conditions.
New: Click this button, the Risk Object Configuration dialog appears. Configure the detected object on the dialog. The descriptions of the options are:
Basic	Options on the Basic tab: Name: Specify the name of the detected object. Virtual Router: Specify the virtual router the detected object belongs to. Type: Specify the type of the detected object. Three types of detected object are supported by the system: subnet, host/server, and service. IP: Specify the IP address of the subnet, host/server, or service. Netmask: When the subnet type is selected, specify the netmask for the subnet. Protocol: When the service type is selected, specify the protocol type for the service. Port: When the service type is selected, specify the port number for the service. Description: Specify the description for the detected object if necessary. The service and network nodes added in the monitor module are detected here automatically.
Advanced	Options on the Advanced tab are: Period: Specify the detection period. The system gets the historical data of the detected object in each period, and then calculates the baseline according to the historical data. Usually, this period is determined by the traffic change circle (at the same time point in two circles, the traffic status is similar). "0" means no period, and in this situation, the baseline will be calculated according to the developing trend of the traffic. "0" fits the network with irregular traffic. Application: Specify applications for the detected object. Schedule: Specify a schedule for the detected object. The anomalies occurring in the schedule will be ignored by the system. Set Threshold: Specify the threshold for the detected object. When the parameter actual value is higher than the high threshold or lower than the low threshold, the system will send the abnormality alarm. To specify the threshold, take the following steps: Click Set Threshold, the Set Threshlod dialog appears. If applications have been specified for the detected object, select an application from the Application drop-down list. Select a parameter from the Parameter dialog. Enter the high and low thresholds in the High Threshold and Low Threshold text boxes respectively. Click Add to add the threshold information. Repeat the above steps to add multiple threshold information.
Edit: Select the detected object you want to edit from the detect object table, and then click this button to edit. The service and network nodes added in the monitor module cannot be edited here.
Delete: Select the detected objects you want to delete from the detected object table, and then click this button to delete.
Detected Object Table
Name	Shows the name of the detected object.
Type	Shows the type of the detected object.
Virtual Router	Shows the virtual router the detected object belongs to.
IP	Shows the IP address of the detected object.
Protocol - Port	Shows the protocol type and the port number.
Defined Type	Shows the defined type of the detected object, it can be created in the risk obejct module (marked as "User-defined") or created in the monitor module (marked as "Service/Network Node").
Application	Shows the application information of the detected object.
Schedule	Shows the schedule bound to the detected object.
Description	Shows the description of the detected object.
Operation	Click Set Threshold to set the high and low threshold for the detected object.

Viewing Risk Object Summary

The detected object table on the risk object page shows the anomalies and the health status of the detected objects and provides the links to the detailed page and the methods to resolve the abnormalities. For more information, see the table below.

Option	Description
Risk Object	Shows the name of the detected object.
Type	Shows the type of the detected object.
Anomaly Alert Frequency	Shows the abnormal statistics of detected object.
Score	Shows the health score of the detected object. The system evaluates the threat status (host/server) and abnormality status of the detected object, and then calculates the health score based on the evaluating result. The score represents the latest 24 hours' health status of the detected object.
Health Status	The system uses star in different colors to show the health status of the detected object： : Unhealthy (the score is lower than 50) : Subhealthy (the score range is from 50 to 80) : Healthy (the score range is from 80 to 100) Click View Alerts to see the detailed abnormal statistics of the detected object. Click Configure Settings, the Configure Settings dialog appears. You can do the following tasks on this dialog: Schedule: Specify a schedule for the detected object. The abnormal alerts occurring within the schedule will be ignored by the system. If the traffic anomaly happens in a fixed time and it can be judged as a normal network event, you can use this way to ignore the anomaly. Clear History Statistics: Clear all the alerts of the detected object. Rebuild Baseline: Rebuild the baseline of the detected object. After editing the detected object, for example, changing the type form subnet to host/server, in order to get a proper detection result, you are recommended to perform this option. Rest Risk Object: Clear all the historical detection data of the detected object thoroughly, and re-gather the statistics of the detected object. After editing the detected object, for example, changing the type form subnet to host/server, in order to get a proper detection result, you are recommended to perform this option.