5.6.2. Web UI `Health checks`
screen
`HOME`
or `GATEWATCHER`
buttons, the display area will be as follows:The `Status`
zone displays the simplified status of the detection systems managed by the GCenter.
This area gives the status of the following components:
Benchmark |
Engine |
For |
---|---|---|
1 |
IDS (GCAp probe) |
Transmit captured events and files to GCenter |
2 |
Malcore |
Detect Malware |
3 |
Codebreaker |
Detect Shellcodes |
4 |
CTI |
Uses LastInfoSec compromise indices to generate alerts for Advanced Persistent Threat (APT) threats |
5 |
Machine Learning |
Detect domain names that have been generated by Domain Generation Algorithm (DGA) for Command & Control (C&C) type threats |
6 |
Codebreaker |
Detect Powershells |
In order to get detailed information, it is possible to click on the area and open a new screen.
The `Health Checks`
screen consists of the following areas:
field (1)
`GLOBAL STATUS`
indicating the status of the detection engines (GCap and GCenter): see The `GLOBAL STATUS`field (8)
`MALWARE STATUS`
indicating the status of the GCenter Malcore engine: see The `MALWARE STATUS`field (10)
`IDS`
indicating the status of the GCap Sigflow engine: see The `IDS` zonefield (12)
`ENGINES DATA`
indicating the general status of the data (data queues and database): see The `ENGINES DATA`
5.6.2.1. The `GLOBAL STATUS`
Field (1) `GLOBAL STATUS`
includes:
Benchmark |
Engine |
State |
For more information |
---|---|---|---|
2 |
IDS (GCAp probe) |
blue check mark: GCaps are connected and up to date
red panel: GCaps are offline or not up to date
|
refer to The `IDS` zone (10) |
3 |
Malware (detection by Malcore engine) |
blue check mark: Malcore engine is active and running
red sign: one or more engines are out of date
|
refer to The `MALWARE STATUS` (8) |
4 |
Shellcode |
blue check mark: Codebreaker goasm engine is active and running
red panel: Codebreaker goasm engine is not active or not working
|
refer to Engine restart |
5 |
Powershell |
blue check mark: Codebreaker gps engine is active and working
red panel: the engine Codebreaker gps is not active or does not work
|
refer to Engine restart |
6 |
C&C (Command & Control) |
blue check mark: gdgadetect Machine Learning engine is active and running
red panel: gdgadetect Machine Learning engine is not active or not working
|
refer to Engine restart |
7 |
APT (Advanced Persistent Threat) |
blue check mark: gcti CTI engine is active and running
red panel: gcti CTI engine is not active or not working
|
refer to Engine restart |
5.6.2.2. The `IDS`
zone
The name
Date of last update
The status
The state
`All Gcaps are offline or not up to date`
.`STATE`
for each of the GCaps present: in this example, the GCap present is in the state `ONLINE`
.`STATE`
with the message `OUTDATED`
.`LAST UPDATE`
column.Note
The engine is in `running`
status if the Sigflow engine is installed and the API is up.
Note
To update, refer to Manual installation of an update of signatures and/or anti-viral engines (update) to download and install the latest sigflow.gwp file.
5.6.2.3. The `MALWARE STATUS`
The area (8) `MALWARE STATUS`
includes:
An antivirus engine (for some licenses): this is the case in this example
Or 16 antivirus engines (for other licenses)
The information given is:
Engine hash name
Date of last engine package update
The status which indicates the age of the engine package via the colour signage
Package installation status (PRODUCTION = OK)
`One or more engine(s) are not up to date`
.`LAST UPDATE`
to have the date and the icon present in the column `STATUS`
: in this example, the package has more than 7 days.Note
`Restart a GApp`
command from the configuration menu and select `gmalcore`
.5.6.2.4. The `ENGINES DATA`
Zone (12) `ENGINES DATA`
includes:
Data queues waiting in front of engines detecting Malwares, Powershells, shellcodes
The size of the Elasticsearch database (in volume and percentage);
5.6.2.5. Engine restart
`Restart a GApp`
command from the configuration menu and select `goasm`
.`Restart a GApp`
command from the configuration menu and select `gps`
.`Restart a GApp`
command from the configuration menu and select `gdgadetect`
.`Restart a GApp`
command from the configuration menu and select `gcti`
.