I have followed given steps, then I am getting Correlation Engine and Advanced threat Defense, But not Devices like VPN and Wireless Network.
Is there a way to to get individual pie chat or graph for each device ( one pie chart for VPN, one pie chat for Wireless Network ).
1) Is all the events that we are seeing in ESM are threats ?
No, they are all events. Normalization makes then either threat or not.
2) Is Source IP that we see in ESM are Source IP of threat ?
Source IP is just one of the event fields.
1) So if I select Normalization as Malware then events that I get will be threats ? Or Do I need to select any other Normalization.
2) If I want to know from which Source IP threats are coming, How can I find it?
If you select normalization = malware, you will get all the events that's normalized as malware. And you can drill down to the events and see detailed information, such as source IP, etc.
I have created one dashboard for Malware Activity, and in summery I am seeing terms like " Simple is Malicious ", " Zero Access.Gen Command and control traffic".
What are these terms means or where can I find Definitions for this terms.