Discovery and Identity Data in Discovery Events
The system generates tables of events that represent the changes detected in your monitored network. You can use these tables to review the user activity on your network and determine how to respond. The network discovery and identity policies specify the kinds of data you want to collect, the network segments you want to monitor, and the specific hardware interfaces you want to use to do it.
You can use discovery and identity event tables to identify threats associated with hosts, applications, and users on your network. The system provides a set of predefined workflows that you can use to analyze the events that your system generates. You can also create custom workflows that display only the information that matches your specific needs.
To collect and store network discovery and identity data for analysis, you must configure network discovery and identity policies. After you configure an identity policy, you must invoke it in your access control policy and deploy it to the devices you want to use to monitor traffic.
Your network discovery policy provides host, application, and non-authoritative user data. Your identity policy provides authoritative user data.
The following discovery event tables are located under the Analysis > Hosts, Analysis > Users, and Analysis > Vulnerabilities menus.
Discovery Event Table |
Populated With Discovery Data? |
Populated With Identity Data? |
---|---|---|
Hosts |
Yes |
No |
Indications of Compromise |
Yes |
No |
Applications |
Yes |
No |
Application Details |
Yes |
No |
Servers |
Yes |
No |
Host Attributes |
Yes |
No |
Discovery Events |
Yes |
Yes |
User Activity |
Yes |
Yes |
Users |
Yes |
Yes |
Vulnerabilities |
Yes |
No |
Third-Party Vulnerabilities |
Yes |
No |