GCenter Documentation V103
Last update 20/12/2024, Version V2

Table of contents

  • 1. Description
    • 1.1. Introduction
    • 1.2. Overview of the TAP
    • 1.3. Presentation of the GCap
    • 1.4. Presentation of the GCenter
      • 1.4.1. Different server models
      • 1.4.2. List of the GCenter inputs / outputs
        • 1.4.2.1. Use of USB and VGA connectors
        • 1.4.2.2. Access to the server's management and configuration interface
        • 1.4.2.3. `MGMT0` and `VPN0` network interfaces
        • 1.4.2.4. Network interfaces `ICAP0` and `SUP0`
        • 1.4.2.5. Electrical connection
        • 1.4.2.6. USB connector and LUKS key
    • 1.5. Presentation of Reflex
    • 1.6. Interconnection between devices
      • 1.6.1. Viewing communication flows
      • 1.6.2. Example of architectures
        • 1.6.2.1. Detection architecture diagram
        • 1.6.2.2. MPL 1 (PDIS 1 architecture diagram)
        • 1.6.2.3. MPL 2 (PDIS 2 architecture diagram)
  • 2. Operation
    • 2.1. Detection Engines
      • 2.1.1. Malcore engine
        • 2.1.1.1. Introduction
          • 2.1.1.1.1. For what types of threats is this engine designed?
          • 2.1.1.1.2. How does this particular engine detect threats?
          • 2.1.1.1.3. How does Malcore engine work in the GCenter?
            • 2.1.1.1.3.1. Malcore engine input data
        • 2.1.1.2. Events generated
          • 2.1.1.2.1. Example of a Malcore alert in the WebUI
          • 2.1.1.2.2. Malcore log data structure
            • 2.1.1.2.2.1. The header part of Malcore logs
            • 2.1.1.2.2.2. The source part of Malcore logs
            • 2.1.1.2.2.3. List of counters of the alert
        • 2.1.1.3. Management of the engine
          • 2.1.1.3.1. Viewing the engine status
          • 2.1.1.3.2. Engine update
          • 2.1.1.3.3. Malcore configuration and management of the ignored list feature
        • 2.1.1.4. Alert Analysis
      • 2.1.2. Shellcode detect engine
        • 2.1.2.1. Introduction
          • 2.1.2.1.1. For what types of threats is this engine designed?
          • 2.1.2.1.2. How does this particular engine detect threats?
          • 2.1.2.1.3. How does Shellcode Detect engine work in the GCenter?
            • 2.1.2.1.3.1. Shellcode Detect engine input data
        • 2.1.2.2. Events generated
          • 2.1.2.2.1. Example of a Shellcode alert in the Webui
          • 2.1.2.2.2. Shellcode log data structure
            • 2.1.2.2.2.1. The header part of the Shellcode logs
            • 2.1.2.2.2.2. The source part of the Shellcode logs
            • 2.1.2.2.2.3. List of counters of the alert
        • 2.1.2.3. Management of the engine
          • 2.1.2.3.1. Viewing the engine status
          • 2.1.2.3.2. Engine update
          • 2.1.2.3.3. Engine configuration
        • 2.1.2.4. Alert Analysis
      • 2.1.3. Malicious Powershell detect engine
        • 2.1.3.1. Introduction
          • 2.1.3.1.1. For what types of threats is this engine designed?
          • 2.1.3.1.2. How does this particular engine detect threats?
          • 2.1.3.1.3. How does Malicious Powershell Detect engine work in the GCenter?
            • 2.1.3.1.3.1. Malicious Powershell Detect engine input data
        • 2.1.3.2. Events generated
          • 2.1.3.2.1. Example of a Malicious Powershell detect alert in the Webui
          • 2.1.3.2.2. Malicious Powershell log data structure
            • 2.1.3.2.2.1. The header part of Malicious Powershell logs
            • 2.1.3.2.2.2. The source part of Malicious Powershell logs
            • 2.1.3.2.2.3. List of counters of the alert
        • 2.1.3.3. Management of the engine
          • 2.1.3.3.1. Viewing the engine status
          • 2.1.3.3.2. Engine update
          • 2.1.3.3.3. Engine configuration
        • 2.1.3.4. Alert Analysis
      • 2.1.4. Sigflow engine
        • 2.1.4.1. Introduction
          • 2.1.4.1.1. For what types of threats is this engine designed?
          • 2.1.4.1.2. How does this particular engine detect threats?
          • 2.1.4.1.3. How does Sigflow engine work in the GCenter?
            • 2.1.4.1.3.1. For more information
        • 2.1.4.2. Detailed operation of the rules
          • 2.1.4.2.1. Organizing the rules
          • 2.1.4.2.2. Sigflow engine signature sources
          • 2.1.4.2.3. Rulesets
            • 2.1.4.2.3.1. Optimization of rulesets
            • 2.1.4.2.3.2. Changing signatures
              • 2.1.4.2.3.2.1. Definition of signatures
            • 2.1.4.2.3.3. Removing or limiting the number of alerts
              • 2.1.4.2.3.3.1. Manual creation of the deletion or limitation of the number of alerts
              • 2.1.4.2.3.3.2. Automatic creation of limits on the number of alerts
            • 2.1.4.2.3.4. Generating rulesets
          • 2.1.4.2.4. GCAP Profiles
            • 2.1.4.2.4.1. Detection Rulesets
              • 2.1.4.2.4.1.1. Single-tenant
              • 2.1.4.2.4.1.2. Multi-tenant by interface
              • 2.1.4.2.4.1.3. Multi-tenant by VLAN
            • 2.1.4.2.4.2. Base variables
              • 2.1.4.2.4.2.1. Stream analysis and file extraction
              • 2.1.4.2.4.2.2. HTTP Proxy
              • 2.1.4.2.4.2.3. Payload
              • 2.1.4.2.4.2.4. Community ID
              • 2.1.4.2.4.2.5. Alerting and logging
            • 2.1.4.2.4.3. Net variables
            • 2.1.4.2.4.4. Flow timeouts
            • 2.1.4.2.4.5. Files rules management
            • 2.1.4.2.4.6. Packet filtering
        • 2.1.4.3. Events generated
          • 2.1.4.3.1. Example of a Sigflow alert in the WebUI
          • 2.1.4.3.2. Sigflow log data structure
            • 2.1.4.3.2.1. The header part of the sigflow logs
            • 2.1.4.3.2.2. The source part of the sigflow logs
            • 2.1.4.3.2.3. List of counters of the alert
          • 2.1.4.3.3. Events of type "alert"
            • 2.1.4.3.3.1. Example of "alert" Sigflow events in the WebUI
            • 2.1.4.3.3.2. Log data of type "alert"
          • 2.1.4.3.4. Events of type "fileinfo"
            • 2.1.4.3.4.1. Example of "fileinfo" Sigflow events
          • 2.1.4.3.5. Events of type "meta-data"
            • 2.1.4.3.5.1. Events of type "metadata"
            • 2.1.4.3.5.2. List of fields present in all alerts with event_type!= ["alert", "fileinfo", "stats"]
            • 2.1.4.3.5.3. List of protocols compatible with logging (event_type field)
        • 2.1.4.4. Management of the engine
          • 2.1.4.4.1. View the status of Sigflow
          • 2.1.4.4.2. Engine update
          • 2.1.4.4.3. Rules update
          • 2.1.4.4.4. Sigflow configuration
        • 2.1.4.5. Alert Analysis
      • 2.1.5. DGA detect engine
        • 2.1.5.1. Introduction
          • 2.1.5.1.1. For what types of threats is this engine designed?
          • 2.1.5.1.2. How does this particular engine detect threats?
          • 2.1.5.1.3. How does this DGA detect engine work in the GCenter?
        • 2.1.5.2. Events generated
          • 2.1.5.2.1. Example of a DGA detect alert in the WebUI
          • 2.1.5.2.2. DGA detect log data structure
            • 2.1.5.2.2.1. The header part of the DGA detect logs
            • 2.1.5.2.2.2. The source part of the DGA detect logs
            • 2.1.5.2.2.3. List of counters of the Malcore alert
        • 2.1.5.3. Management of the engine
          • 2.1.5.3.1. Viewing the engine status
          • 2.1.5.3.2. Engine update
          • 2.1.5.3.3. Configure the DGA detect engine and manage the list of ignored files
        • 2.1.5.4. Alert Analysis
      • 2.1.6. Malcore retroanalyzer engine
        • 2.1.6.1. Introduction
          • 2.1.6.1.1. For what types of threats is this engine designed?
          • 2.1.6.1.2. How does this particular engine detect threats?
          • 2.1.6.1.3. How does Malcore retroanalyzer work in the GCenter?
        • 2.1.6.2. Events generated
        • 2.1.6.3. List of counters of the alert
        • 2.1.6.4. Counters associated with Malcore retroanalyzer engine
        • 2.1.6.5. Management of the engine
          • 2.1.6.5.1. Viewing the engine status
          • 2.1.6.5.2. Engine update
          • 2.1.6.5.3. Configuration of Malcore retroanalyzer engine
        • 2.1.6.6. Alert Analysis
      • 2.1.7. Active CTI engine
        • 2.1.7.1. CTI module overview
        • 2.1.7.2. Introduction
          • 2.1.7.2.1. For what types of threats is this engine designed?
          • 2.1.7.2.2. How does this particular engine detect threats?
          • 2.1.7.2.3. How does Active CTI work in the GCenter?
        • 2.1.7.3. Events generated
          • 2.1.7.3.1. Example of an Active CTI alert in the WebUI
          • 2.1.7.3.2. Active CTI logs data structure
            • 2.1.7.3.2.1. The header part of Active CTI logs
            • 2.1.7.3.2.2. The source part of Active CTI
        • 2.1.7.4. Management of the engine
          • 2.1.7.4.1. Viewing the engine status
          • 2.1.7.4.2. CTI update
            • 2.1.7.4.2.1. The database of indicators of compromise
            • 2.1.7.4.2.2. The Active CTI engine update
          • 2.1.7.4.3. Active CTI configuration
        • 2.1.7.5. Alert Analysis
      • 2.1.8. Retro hunt engine
        • 2.1.8.1. CTI module overview
        • 2.1.8.2. Introduction
          • 2.1.8.2.1. For what types of threats is this engine designed?
          • 2.1.8.2.2. How does this particular engine detect threats?
          • 2.1.8.2.3. How does Retro Hunt work in the GCenter?
        • 2.1.8.3. Events generated
          • 2.1.8.3.1. Example of a Retro hunt alert in the WebUI
          • 2.1.8.3.2. Retro hunt logs data structure
            • 2.1.8.3.2.1. The header part of Retro hunt logs
            • 2.1.8.3.2.2. The source part of Retro hunt logs
            • 2.1.8.3.2.3. List of counters of the Retro hunt alert
        • 2.1.8.4. Management of the engine
          • 2.1.8.4.1. Viewing the engine status
          • 2.1.8.4.2. CTI update
            • 2.1.8.4.2.1. The basis of compromise indices
            • 2.1.8.4.2.2. Engine update
          • 2.1.8.4.3. Engine configuration
        • 2.1.8.5. Alert Analysis
      • 2.1.9. Ransomware detect engine
        • 2.1.9.1. Introduction
          • 2.1.9.1.1. For what types of threats is this engine designed?
          • 2.1.9.1.2. How does this particular engine detect threats?
          • 2.1.9.1.3. How does Ransomware detect work in the GCenter?
            • 2.1.9.1.3.1. Training and re-training
            • 2.1.9.1.3.2. Detections / Predictions
        • 2.1.9.2. Events generated
          • 2.1.9.2.1. Example of Ransomware detect alert in the WebUI
          • 2.1.9.2.2. Ransomware detect log data structure
            • 2.1.9.2.2.1. The header part of the Ransomware logs
            • 2.1.9.2.2.2. The source part of the logs
        • 2.1.9.3. Management of the engine
          • 2.1.9.3.1. Viewing the engine status
          • 2.1.9.3.2. Engine update
          • 2.1.9.3.3. Ransomware detect configuration and management of the ignored files list
        • 2.1.9.4. Alert Analysis
      • 2.1.10. Beacon detect engine
        • 2.1.10.1. Introduction
          • 2.1.10.1.1. For what types of threats is this engine designed?
          • 2.1.10.1.2. How does this particular engine detect threats?
          • 2.1.10.1.3. How does the Beacon Detect engine work in the GCenter?
            • 2.1.10.1.3.1. Beacon Detect engine input data
          • 2.1.10.1.4. Management of the Beacon Detect engine
          • 2.1.10.1.5. Events generated by the engine
          • 2.1.10.1.6. Essential information to understand the context of the alert
            • 2.1.10.1.6.1. What are the key fields of an alert and their meaning in the webui?
        • 2.1.10.2. Events generated
          • 2.1.10.2.1. Example of a Beacon detect alert in kibana
          • 2.1.10.2.2. Beacon detect log data structure
            • 2.1.10.2.2.1. The header part of the Beacon detect logs
            • 2.1.10.2.2.2. The source part of the Beacon detect logs
            • 2.1.10.2.2.3. List of counters of the Malcore alert
        • 2.1.10.3. Management of the engine
          • 2.1.10.3.1. Viewing the engine status
          • 2.1.10.3.2. Engine update
          • 2.1.10.3.3. Beacon Detect configuration engine and management of the ignored destination list
        • 2.1.10.4. Alert Analysis
      • 2.1.11. Yara engine
        • 2.1.11.1. Introduction
          • 2.1.11.1.1. For what types of threats is this engine designed?
          • 2.1.11.1.2. How does this particular engine detect threats?
          • 2.1.11.1.3. How does Yara work in the GCenter?
            • 2.1.11.1.3.1. Yara engine input data
        • 2.1.11.2. Events generated
          • 2.1.11.2.1. Events generated by the engine
        • 2.1.11.3. Management of the engine
          • 2.1.11.3.1. Viewing the engine status
          • 2.1.11.3.2. Engine update
          • 2.1.11.3.3. Yara engine configuration
        • 2.1.11.4. Alert Analysis
      • 2.1.12. Detection by GScan
    • 2.2. Management of the GCenter software
      • 2.2.1. Dedicated modules for managing updates : threat-DB update et software update
      • 2.2.2. Upgrade presentation
        • 2.2.2.1. Minor update case
        • 2.2.2.2. In the case of a major update
        • 2.2.2.3. Upgrade path
      • 2.2.3. Update presentation
        • 2.2.3.1. Manual Update
        • 2.2.3.2. Automatic update
          • 2.2.3.2.1. Online update
          • 2.2.3.2.2. Local update
      • 2.2.4. Hotfix presentation
      • 2.2.5. Release note
      • 2.2.6. Overview of the backup and restoration
    • 2.3. Data use
      • 2.3.1. Detection data
        • 2.3.1.1. Data export via the Syslog protocol
        • 2.3.1.2. ECS format for the data export
          • 2.3.1.2.1. Example of an alert exported
      • 2.3.2. Data related to detection results
      • 2.3.3. Management and system status data
        • 2.3.3.1. Viewing the system status
        • 2.3.3.2. Export system state data to remote servers
          • 2.3.3.2.1. Export data to a Netdata server
          • 2.3.3.2.2. Data retrieval by a Nagios server
        • 2.3.3.3. System management and configuration
      • 2.3.4. Data retention
      • 2.3.5. Deleting data
    • 2.4. GApps management
    • 2.5. Interconnection with external systems
      • 2.5.1. Introduction
      • 2.5.2. MISP Server
      • 2.5.3. Syslog servers
        • 2.5.3.1. Introduction
        • 2.5.3.2. SIEM
        • 2.5.3.3. SIEM Splunk
        • 2.5.3.4. Logstash
      • 2.5.4. Netdata server
      • 2.5.5. Access for a monitoring server
  • 3. Characteristics
    • 3.1. Mechanical characteristics of GCenter
    • 3.2. Electrical characteristics of GCenter
    • 3.3. Functional characteristics of GCenter
  • 4. Accounts
    • 4.1. List of accounts
    • 4.2. Account setup from the configuration menu
      • 4.2.1. Account from the configuration menu
      • 4.2.2. Related principles
        • 4.2.2.1. Authentication mode
        • 4.2.2.2. Password management
        • 4.2.2.3. Password management policy
        • 4.2.2.4. Anti-bruteforce system
      • 4.2.3. Functions allowed in the setup account
    • 4.3. Web interface accounts and their management
      • 4.3.1. Web Interface Accounts
        • 4.3.1.1. List of groups
        • 4.3.1.2. Generic accounts
      • 4.3.2. Functions allowed with the group or role `operator`
      • 4.3.3. Functions authorized with the group or role `administrator`
      • 4.3.4. Functions allowed in the admin account
      • 4.3.5. Summary tables of the menus per level
        • 4.3.5.1. Main menu
        • 4.3.5.2. Menu bar
          • 4.3.5.2.1. The `Detection strategy` menu
          • 4.3.5.2.2. `Health` menu
            • 4.3.5.2.2.1. `Administration` menu
          • 4.3.5.2.3. `Help` menu
      • 4.3.6. Related principles
        • 4.3.6.1. Authentication mode
        • 4.3.6.2. Password management
        • 4.3.6.3. Password management policy
      • 4.3.7. Creating local users
      • 4.3.8. LDAP integration / Active Directory
      • 4.3.9. Audit trail
        • 4.3.9.1. Authentication history function
        • 4.3.9.2. Historical function of all creations or deletions
        • 4.3.9.3. History function for all changes in user rights
  • 5. Overview of the GCenter graphic interfaces
    • 5.1. Overview of the configuration menu
    • 5.2. Overview of the WEB UI
      • 5.2.1. Navigation bar
      • 5.2.2. Title bar
      • 5.2.3. Central screen
    • 5.3. Overview of the Kibana GUI
      • 5.3.1. Overview of the Kibana GUI : presentation
      • 5.3.2. Configuration of the Kibana GUI
      • 5.3.3. Main tabs
      • 5.3.4. Native dashboards of the `Alerts` tab
      • 5.3.5. Native dashboards of the `Network Metadata` tab
      • 5.3.6. Native dashboards of the `Administration` tab
      • 5.3.7. Data exploitation
    • 5.4. Overview of the traditional WEB UI (legacy WEB UI)
      • 5.4.1. Presentation of the legacy WEB UI
      • 5.4.2. Description of the legacy WEB UI
        • 5.4.2.1. Navigation bar of the legacy WEB UI
    • 5.5. Overview of the Netdata User Interface (Gstats)
    • 5.6. Overview of graphical interfaces via the web browser
      • 5.6.1. Web UI `Home` screen
        • 5.6.1.1. `Home` screen dashboard selector
        • 5.6.1.2. `Main` screen display area
          • 5.6.1.2.1. Threat level
        • 5.6.1.3. `Home` screen message area
          • 5.6.1.3.1. MITRE Icons
      • 5.6.2. Web UI `Top risk` screen
        • 5.6.2.1. `RISK TIMELINE` zone
        • 5.6.2.2. `ASSETS` zone
        • 5.6.2.3. `ASSETS RISK` zone
        • 5.6.2.4. `STATS` zone
        • 5.6.2.5. `USERS RISK` zone
      • 5.6.3. Web UI `Top Relations` screen
      • 5.6.4. Web UI `Overview` screen
        • 5.6.4.1. `Overview` screen : dashboard selector
        • 5.6.4.2. `Overview` screen alerts list display area
        • 5.6.4.3. `DETECTIONS BY MITRE TACTIC` zone of the `Overview` screen
        • 5.6.4.4. `DETECTIONS BY ENGINE TYPE` zone of the `Overview` screen
        • 5.6.4.5. `ALERTS TYPE RISK RANKING` zone of the `Overview` screen
      • 5.6.5. Web UI `Relations` screen
      • 5.6.6. Web UI `Alerts`
        • 5.6.6.1. Introduction
        • 5.6.6.2. Links associated
        • 5.6.6.3. Screen description
          • 5.6.6.3.1. `Alerts` screen dashboard selector
          • 5.6.6.3.2. `Alerts` window with `Group by name` disabled
          • 5.6.6.3.3. `Alerts` window with `Group by name` enabled
          • 5.6.6.3.4. The sub menu `Actions`
            • 5.6.6.3.4.1. List of controls common to all engines
            • 5.6.6.3.4.2. Commands for a Beacon
            • 5.6.6.3.4.3. Commands for a DGA
            • 5.6.6.3.4.4. Commands for a malware detected by Malcore
            • 5.6.6.3.4.5. Commands for a malware detected by Malcore retroanalyzer
            • 5.6.6.3.4.6. Commands for a powershell
            • 5.6.6.3.4.7. Commands for a ransomware
            • 5.6.6.3.4.8. Commands for a shellcode
            • 5.6.6.3.4.9. Commands for a sigflow alert
          • 5.6.6.3.5. Alert details window
      • 5.6.7. Web UI `Hunting` screen
      • 5.6.8. Web UI `Users` screen
        • 5.6.8.1. Introduction
        • 5.6.8.2. Screen description
          • 5.6.8.2.1. `Users` screen dashboard selector
        • 5.6.8.3. User list display area
      • 5.6.9. Web UI `Assets` screen
        • 5.6.9.1. `Assets` screen dashboard selector
        • 5.6.9.2. Active equipment list display area
      • 5.6.10. Web UI `GScan` screen
      • 5.6.11. Menu of the current account name
        • 5.6.11.1. Overview of the current account management menu
        • 5.6.11.2. `Profile / Edit profile` screen
          • 5.6.11.2.1. Introduction
          • 5.6.11.2.2. Links associated
          • 5.6.11.2.3. Screen description
        • 5.6.11.3. `Profile / Edit Password` screen
          • 5.6.11.3.1. Introduction
          • 5.6.11.3.2. Links associated
          • 5.6.11.3.3. Screen description
    • 5.7. Overview of the menu bar screens of the WEB UI
      • 5.7.1. Overview of the menu bar
      • 5.7.2. `Detection Strategy` menu
        • 5.7.2.1. Overview of the `Detection strategy` menu
        • 5.7.2.2. `GCaps profiles` screen
          • 5.7.2.2.1. Introduction
          • 5.7.2.2.2. Links associated
          • 5.7.2.2.3. Screen description
          • 5.7.2.2.4. `Detection Rulesets` section of the `GCaps profiles` screen
            • 5.7.2.2.4.1. Single tenant part
              • 5.7.2.2.4.1.1. `Tenant details` window
            • 5.7.2.2.4.2. Multitenant by interface part
              • 5.7.2.2.4.2.1. `Add tenant` window
            • 5.7.2.2.4.3. Multitenant by VLAN part
              • 5.7.2.2.4.3.1. `Add tenant` window
          • 5.7.2.2.5. `Base variables` Section of the `GCaps profiles` screen
            • 5.7.2.2.5.1. `Stream analysis and file extraction` zone
              • 5.7.2.2.5.1.1. Description of `Stream analysis and file extraction` area
              • 5.7.2.2.5.1.2. Default configuration of the `Base variables`
            • 5.7.2.2.5.2. `HTTP Proxy` Zone
              • 5.7.2.2.5.2.1. Description of the `HTTP Proxy` zone
              • 5.7.2.2.5.2.2. Default configuration of the `HTTP Proxy` zone settings
            • 5.7.2.2.5.3. `Payload` zone
              • 5.7.2.2.5.3.1. Description of `Payload` zone
              • 5.7.2.2.5.3.2. Default configuration of `Payload` zone settings
            • 5.7.2.2.5.4. `Community ID` zone
              • 5.7.2.2.5.4.1. Description of the `Community ID` zone
              • 5.7.2.2.5.4.2. Default configuration of the `Community ID` zone settings
            • 5.7.2.2.5.5. `Alerting and logging` zone
              • 5.7.2.2.5.5.1. Description of the `Alerting and logging` zone
              • 5.7.2.2.5.5.2. Default settings for existing profiles available
          • 5.7.2.2.6. `Net variables` section of the `Config Gcaps profiles` menu
            • 5.7.2.2.6.1. Information on the `Net variables` section
            • 5.7.2.2.6.2. Description of the `Net variables` zone
              • 5.7.2.2.6.2.1. `Address` category in `Variables` mode
                • `Add address variable` window
              • 5.7.2.2.6.2.2. `Port` category in `Variables` mode
                • `Add port variable` window
          • 5.7.2.2.7. `Flow timeouts` section of the `GCaps profiles` menu
            • 5.7.2.2.7.1. Description of the `Flow timeouts` section
            • 5.7.2.2.7.2. Default configuration of the `Flow timeouts` section
          • 5.7.2.2.8. `File rules` section of the `GCaps profiles` screen
            • 5.7.2.2.8.1. Information on the `File rules` section
            • 5.7.2.2.8.2. Description the `File rules management` section
              • 5.7.2.2.8.2.1. `Add file rule` window
              • 5.7.2.2.8.2.2. `Download config` file named 1_files-rules-config.csv
              • 5.7.2.2.8.2.3. Configuration file template
            • 5.7.2.2.8.3. Rules applied depending on the GCap profile used
          • 5.7.2.2.9. `Packet filters` section of the `Gcaps profiles` menu
            • 5.7.2.2.9.1. Information on the `Packet filters` section
            • 5.7.2.2.9.2. Description the `Packet filters` section
              • 5.7.2.2.9.2.1. `Add a new filter` window
        • 5.7.2.3. `Metadata rate limiter` screen
          • 5.7.2.3.1. Introduction
          • 5.7.2.3.2. Links associated
          • 5.7.2.3.3. Screen description
        • 5.7.2.4. `Malcore` screen
          • 5.7.2.4.1. Introduction
          • 5.7.2.4.2. Links associated
          • 5.7.2.4.3. Screen description
            • 5.7.2.4.3.1. `Settings` area of the `Malcore` screen
            • 5.7.2.4.3.2. `Ignore list` area of the `Malcore` screen
        • 5.7.2.5. `Malcore retroanalyzer` screen
          • 5.7.2.5.1. Introduction
          • 5.7.2.5.2. Links associated
          • 5.7.2.5.3. Screen description
        • 5.7.2.6. `Yara engine` screen
          • 5.7.2.6.1. Introduction
          • 5.7.2.6.2. Links associated
          • 5.7.2.6.3. Screen description
        • 5.7.2.7. `Malicious powershell detect` screen
          • 5.7.2.7.1. Introduction
          • 5.7.2.7.2. Links associated
          • 5.7.2.7.3. Screen description
        • 5.7.2.8. `Shellcode detect` screen
          • 5.7.2.8.1. Introduction
          • 5.7.2.8.2. Links associated
          • 5.7.2.8.3. Screen description
        • 5.7.2.9. `Sources` screen
          • 5.7.2.9.1. Introduction
          • 5.7.2.9.2. Links associated
          • 5.7.2.9.3. Screen description
        • 5.7.2.10. `Rulesets` screen
          • 5.7.2.10.1. Introduction
          • 5.7.2.10.2. Links associated
          • 5.7.2.10.3. Screen description
        • 5.7.2.11. `Auto-threshold` screen
          • 5.7.2.11.1. Introduction
          • 5.7.2.11.2. Links associated
          • 5.7.2.11.3. Screen description
          • 5.7.2.11.4. Setting Low
          • 5.7.2.11.5. Setting Medium
          • 5.7.2.11.6. Setting High
          • 5.7.2.11.7. Cursor part of pre-existing and editable profiles
        • 5.7.2.12. `Active CTI` screen
          • 5.7.2.12.1. Introduction
          • 5.7.2.12.2. Links associated
          • 5.7.2.12.3. Screen description
        • 5.7.2.13. `Retro Hunt` screen
          • 5.7.2.13.1. Introduction
          • 5.7.2.13.2. Links associated
          • 5.7.2.13.3. Screen description
        • 5.7.2.14. `Ransomware detect` screen
          • 5.7.2.14.1. Introduction
          • 5.7.2.14.2. Links associated
          • 5.7.2.14.3. Screen description
          • 5.7.2.14.4. Part `Settings` of the screen `Ransomware detect`
          • 5.7.2.14.5. Part `Investigation` of the screen `Ransomware detect`
          • 5.7.2.14.6. Part `Ignore list` of the screen `Ransomware detect`
        • 5.7.2.15. `Association rules` screen
          • 5.7.2.15.1. Introduction
          • 5.7.2.15.2. Links associated
          • 5.7.2.15.3. Screen description
          • 5.7.2.15.4. `Asset detection network range` section of the `Assets/Users Association rules` screen
          • 5.7.2.15.5. `Static IP- Asset mapping` section of the `Assets/Users Association rules` screen
          • 5.7.2.15.6. `Ignored IP for users association` section of the `Assets/Users Association rules` screen
          • 5.7.2.15.7. `Ignored MAC for assets association` section of the `Assets/Users Association rules` screen
          • 5.7.2.15.8. `Forbidden users` section on the `Assets/Users Association rules` screen
          • 5.7.2.15.9. `Forbidden assets` section on the `Assets/Users Association rules` screen
        • 5.7.2.16. `DGA` screen
          • 5.7.2.16.1. Introduction
          • 5.7.2.16.2. Links associated
          • 5.7.2.16.3. Screen Description
          • 5.7.2.16.4. `Settings` area of the `DGA` screen
          • 5.7.2.16.5. `Ignore list` area of the `DGA` screen
        • 5.7.2.17. `Beacon detect` screen
          • 5.7.2.17.1. Introduction
          • 5.7.2.17.2. Links associated
          • 5.7.2.17.3. Screen Description
          • 5.7.2.17.4. `Settings` area of the `Beacon detect` screen
            • 5.7.2.17.4.1. Filtered domains area
            • 5.7.2.17.4.2. Presets choices and the associated parameters
          • 5.7.2.17.5. `Ignore list` area of the `Beacon detect` screen
      • 5.7.3. `Health` menu
        • 5.7.3.1. Overview of the `Health` menu
        • 5.7.3.2. `Health checks` screen
          • 5.7.3.2.1. Introduction
          • 5.7.3.2.2. Links associated
          • 5.7.3.2.3. Screen description
          • 5.7.3.2.4. The `Components` window
            • 5.7.3.2.4.1. The `Malcore engine details` zone
            • 5.7.3.2.4.2. The `Malcore engine details` zone
            • 5.7.3.2.4.3. The `GCAP tunnels` zone
          • 5.7.3.2.5. The `Updates` window
            • 5.7.3.2.5.1. The `Updates events and traces` zone
            • 5.7.3.2.5.2. The `GCAP updates` zone
            • 5.7.3.2.5.3. The `IOC` zone
            • 5.7.3.2.5.4. The `Sigflow sources` zone
            • 5.7.3.2.5.5. The `Malcore engine` zone
            • 5.7.3.2.5.6. The `Other engines` zone
        • 5.7.3.3. `System Overview` screen of the Netdata User Interface (Gstats)
          • 5.7.3.3.1. Introduction
          • 5.7.3.3.2. Links associated
          • 5.7.3.3.3. Screen description
        • 5.7.3.4. The `System notifications`
          • 5.7.3.4.1. Introduction
          • 5.7.3.4.2. Links associated
          • 5.7.3.4.3. Part `System notifications` of the `Health` menu
          • 5.7.3.4.4. `System notifications` screen
          • 5.7.3.4.5. `Notification details` window
      • 5.7.4. `Administration` menu
        • 5.7.4.1. Overview of the `Administration` menu
        • 5.7.4.2. `Threat DB update` screen
          • 5.7.4.2.1. Introduction
          • 5.7.4.2.2. Links associated
          • 5.7.4.2.3. Screen description
            • 5.7.4.2.3.1. Screen `Manual Upload` of the `Threat DB update` screen
            • 5.7.4.2.3.2. Screen `Settings` of the `Threat DB update` screen
        • 5.7.4.3. `Software update` screen
          • 5.7.4.3.1. Introduction
          • 5.7.4.3.2. Links associated
          • 5.7.4.3.3. Screen description
        • 5.7.4.4. `History` screen
          • 5.7.4.4.1. Introduction
          • 5.7.4.4.2. Links associated
          • 5.7.4.4.3. Screen description
        • 5.7.4.5. `Users management` screen
          • 5.7.4.5.1. Introduction
          • 5.7.4.5.2. Links associated
          • 5.7.4.5.3. Screen description
          • 5.7.4.5.4. `Add an user` screen
          • 5.7.4.5.5. `Edit` screen
        • 5.7.4.6. `LDAP binding` screen
          • 5.7.4.6.1. Introduction
          • 5.7.4.6.2. Links associated
          • 5.7.4.6.3. Screen description
            • 5.7.4.6.3.1. `LDAP authentication settings` area
            • 5.7.4.6.3.2. `LDAP server binding settings` area
            • 5.7.4.6.3.3. `LDAP users and groups mapping` zone
            • 5.7.4.6.3.4. `LDAP advanced settings` area
        • 5.7.4.7. `API keys` screen
          • 5.7.4.7.1. Introduction
          • 5.7.4.7.2. Links associated
          • 5.7.4.7.3. Screen description
          • 5.7.4.7.4. `Add an API access key` screen
        • 5.7.4.8. `Password policy` screen
          • 5.7.4.8.1. Introduction
          • 5.7.4.8.2. Links associated
          • 5.7.4.8.3. Screen description
        • 5.7.4.9. `MISP settings` screen
          • 5.7.4.9.1. Introduction
          • 5.7.4.9.2. Links associated
          • 5.7.4.9.3. Screen description
        • 5.7.4.10. `GCaps Pairing` screen
          • 5.7.4.10.1. Introduction
          • 5.7.4.10.2. Links associated
          • 5.7.4.10.3. Screen description
            • 5.7.4.10.3.1. `Pairing a new GCap` screen
              • 5.7.4.10.3.1.1. `Pairing a new Gcap` screen in `Expert mode` mode
        • 5.7.4.11. `License` screen
          • 5.7.4.11.1. Introduction
          • 5.7.4.11.2. Links associated
          • 5.7.4.11.3. Screen description
            • 5.7.4.11.3.1. Engine per license name
            • 5.7.4.11.3.2. LastInfosec option
            • 5.7.4.11.3.3. AionBytes option
        • 5.7.4.12. `Global settings` screen
          • 5.7.4.12.1. Introduction
          • 5.7.4.12.2. Links associated
          • 5.7.4.12.3. Screen description
        • 5.7.4.13. `System logs` screen
          • 5.7.4.13.1. Introduction
          • 5.7.4.13.2. Links associated
        • 5.7.4.14. `Diagnostics` screen
          • 5.7.4.14.1. Introduction
          • 5.7.4.14.2. Links associated
          • 5.7.4.14.3. Screen description
        • 5.7.4.15. `Configuration` screen
          • 5.7.4.15.1. Introduction
          • 5.7.4.15.2. Links associated
          • 5.7.4.15.3. Screen description
          • 5.7.4.15.4. `General settings` section
          • 5.7.4.15.5. `Remote settings` setting in `Local` version
          • 5.7.4.15.6. `Remote settings` section in `FTP` version
          • 5.7.4.15.7. `Remote settings` section in `SCP` version
        • 5.7.4.16. `Backup operations` screen
          • 5.7.4.16.1. Introduction
          • 5.7.4.16.2. Links associated
          • 5.7.4.16.3. Screen description
          • 5.7.4.16.4. Partie `Backup list`
          • 5.7.4.16.5. `Make a backup` section
          • 5.7.4.16.6. `Restore operations` section
          • 5.7.4.16.7. `Scheduled backup` section
        • 5.7.4.17. `Retention policy` screen
          • 5.7.4.17.1. Introduction
          • 5.7.4.17.2. Links associated
          • 5.7.4.17.3. Screen description
        • 5.7.4.18. `Data Management` screen
          • 5.7.4.18.1. Introduction
          • 5.7.4.18.2. Links associated
          • 5.7.4.18.3. Screen description
        • 5.7.4.19. `Data export` screen
          • 5.7.4.19.1. Introduction
          • 5.7.4.19.2. Links associated
          • 5.7.4.19.3. Screen description
        • 5.7.4.20. `Netdata Export Configuration` screen
          • 5.7.4.20.1. Introduction
          • 5.7.4.20.2. Links associated
          • 5.7.4.20.3. Screen description
            • 5.7.4.20.3.1. `GENERAL` area description
            • 5.7.4.20.3.2. `ENCRYPTION` area description
        • 5.7.4.21. `Netdata polling` screen
          • 5.7.4.21.1. Introduction
          • 5.7.4.21.2. Links associated
          • 5.7.4.21.3. Screen description
      • 5.7.5. `Help` menu
        • 5.7.5.1. Overview of the `Help` menu
        • 5.7.5.2. `Gatewatcher API` screen
          • 5.7.5.2.1. Introduction
          • 5.7.5.2.2. Links associated
          • 5.7.5.2.3. Screen description
            • 5.7.5.2.3.1. Detail for an endpoint
              • 5.7.5.2.3.1.1. Zone `Responses` if the `Try it out` button is not activated
                • Sample Output Template
                  • Example with default values
              • 5.7.5.2.3.1.2. Zone `Responses` if the `Try it out button is activated
        • 5.7.5.3. `Online documentation` screen
          • 5.7.5.3.1. Introduction
          • 5.7.5.3.2. Links associated
          • 5.7.5.3.3. Screen description
        • 5.7.5.4. `Gatewatcher Customer Portal` site
          • 5.7.5.4.1. Introduction
          • 5.7.5.4.2. Screen description
        • 5.7.5.5. `Gatewatcher support` site
          • 5.7.5.5.1. Introduction
          • 5.7.5.5.2. Screen description
        • 5.7.5.6. `update.gatewatcher.com` site
          • 5.7.5.6.1. Introduction
          • 5.7.5.6.2. Screen description
    • 5.8. Graphical API
      • 5.8.1. Overview of the API interface
        • 5.8.1.1. Detail for an endpoint
          • 5.8.1.1.1. Zone `Responses` if the `Try it out` button is not activated
            • 5.8.1.1.1.1. Sample Output Template
          • 5.8.1.1.2. Example with default values
          • 5.8.1.1.3. Zone `Responses` if the `Try it out button is activated
      • 5.8.2. Endpoints list
  • 6. Use case of the configuration menu: setup account
    • 6.1. Direct connection to the GCenter configuration menu with keyboard and monitor
      • 6.1.1. Introduction
      • 6.1.2. Preliminary operations
      • 6.1.3. Procedure to connect the monitor and keyboard
      • 6.1.4. Procedure to find out or changing the iDRAC network settings via the BIOS
    • 6.2. Direct connection to the GCenter configuration menu in HTTP via iDRAC (DELL server)
      • 6.2.1. Introduction
      • 6.2.2. Preliminary operations
      • 6.2.3. Procedure
    • 6.3. Direct connection to the GCenter configuration menu SSH via the iDRAC interface in serial port forwarding mode
      • 6.3.1. Introduction
      • 6.3.2. Preliminary operations
      • 6.3.3. Procedure on the remote PC running Linux
      • 6.3.4. Procedure on the remote PC running Windows
    • 6.4. Direct connection to the GCenter configuration menu via SSH
      • 6.4.1. Introduction
      • 6.4.2. Preliminary operations
      • 6.4.3. Procedure on the remote PC running Linux
      • 6.4.4. Procedure on the remote PC running Windows
    • 6.5. `About` command
      • 6.5.1. Introduction
      • 6.5.2. Prerequisites
      • 6.5.3. Preliminary operations
      • 6.5.4. Procedure
    • 6.6. `Tech Support` command
      • 6.6.1. Introduction
      • 6.6.2. Prerequisites
      • 6.6.3. Preliminary operations
      • 6.6.4. Procedure
    • 6.7. `Keyboard` command
      • 6.7.1. Introduction
      • 6.7.2. Prerequisites
      • 6.7.3. Preliminary operations
      • 6.7.4. Procedure
    • 6.8. `Authentication` command
      • 6.8.1. Introduction
      • 6.8.2. Prerequisites
      • 6.8.3. Preliminary operations
      • 6.8.4. Procedure to change the setup account password
        • 6.8.4.1. Procedure to modify the ssh keys
    • 6.9. `DateTime` command
      • 6.9.1. Introduction
        • 6.9.1.1. Prerequisites
        • 6.9.1.2. Preliminary operations
        • 6.9.1.3. Procedure
    • 6.10. `Network` command
      • 6.10.1. Introduction
      • 6.10.2. Prerequisites
      • 6.10.3. Preliminary operations
      • 6.10.4. Procedure to access the network interface configuration menu
      • 6.10.5. Procédure to configure the hostname
      • 6.10.6. Procedure to configure an interface
      • 6.10.7. Procedure to configure the DNS
      • 6.10.8. Procedure to configure the NTP
    • 6.11. `Arp Manager` command
      • 6.11.1. Introduction
      • 6.11.2. Prerequisites
      • 6.11.3. Preliminary operations
      • 6.11.4. Procedure to access to the `Arp Manager` submenu
      • 6.11.5. Procedure A: Adding an ARP entry
      • 6.11.6. Procedure B: Delete an ARP entry
      • 6.11.7. Procedure C: Clearing the ARP cache
    • 6.12. `Diagnose` command
      • 6.12.1. Introduction
      • 6.12.2. Prerequisites
      • 6.12.3. Preliminary operations
      • 6.12.4. Procedure
    • 6.13. `Gcenter Services Management` command
      • 6.13.1. Introduction
      • 6.13.2. Prerequisites
      • 6.13.3. Preliminary operations
      • 6.13.4. Procedure to access to `Gcenter Services Management` sub-menu
      • 6.13.5. Procedure A: Restarting an application
      • 6.13.6. Procedure B: Reset a service
      • 6.13.7. Procedure C: Restarting a service
    • 6.14. `Elasticsearch storage mode` command
      • 6.14.1. Introduction
      • 6.14.2. Prerequisites
      • 6.14.3. Preliminary operations
      • 6.14.4. Procedure
    • 6.15. `LPM Mode` command
      • 6.15.1. Introduction
      • 6.15.2. Prerequisites
      • 6.15.3. Preliminary operations
      • 6.15.4. Procedure
    • 6.16. `Restart` command
      • 6.16.1. Introduction
      • 6.16.2. Prerequisites
      • 6.16.3. Preliminary operations
      • 6.16.4. Procedure
    • 6.17. `Shutdown` command
      • 6.17.1. Introduction
      • 6.17.2. Prerequisites
      • 6.17.3. Preliminary operations
      • 6.17.4. Procedure
    • 6.18. `Reset` command
      • 6.18.1. Introduction
      • 6.18.2. Prerequisites
      • 6.18.3. Preliminary operations
      • 6.18.4. Procedure
    • 6.19. `Exit` command
      • 6.19.1. Introduction
      • 6.19.2. Prerequisites
      • 6.19.3. Preliminary operations
      • 6.19.4. Procedure
  • 7. Use cases at the operator or analyst level
    • 7.1. Connection to the GCenter web interface via a web browser
      • 7.1.1. Introduction
      • 7.1.2. Prerequisites
      • 7.1.3. Preliminary operations
      • 7.1.4. Procedure
    • 7.2. Managing current user
      • 7.2.1. Changing the current account password
        • 7.2.1.1. Introduction
        • 7.2.1.2. Links associated
        • 7.2.1.3. Prerequisites
        • 7.2.1.4. Preliminary operations
        • 7.2.1.5. Procedure
      • 7.2.2. Changing some of the current user's information
        • 7.2.2.1. Introduction
        • 7.2.2.2. Links associated
        • 7.2.2.3. Prerequisites
        • 7.2.2.4. Preliminary operations
        • 7.2.2.5. Procedure
    • 7.3. Configuring the Sigflow engine
      • 7.3.1. Managing the Sigflow engine rule sources
        • 7.3.1.1. Introduction
        • 7.3.1.2. Links associated
        • 7.3.1.3. Prerequisites
        • 7.3.1.4. Preliminary operations
        • 7.3.1.5. Procedure to open the `Sources` window
        • 7.3.1.6. Procedure to view the existing sources
        • 7.3.1.7. Procedure to add a public source
        • 7.3.1.8. Procedure to add a custom source
        • 7.3.1.9. Procedure to delete a source
        • 7.3.1.10. Procedure to edit a source
        • 7.3.1.11. Procedure to update a source
      • 7.3.2. Managing a SIGFLOW engine ruleset
        • 7.3.2.1. Introduction
        • 7.3.2.2. Links associated
        • 7.3.2.3. Prerequisites
        • 7.3.2.4. Preliminary operations
        • 7.3.2.5. Procedure to open the `Rulesets` window
        • 7.3.2.6. Procedure to create a ruleset
        • 7.3.2.7. Procedure to display information about an existing ruleset
        • 7.3.2.8. Procedure to copy a ruleset
        • 7.3.2.9. Procedure to delete a ruleset
        • 7.3.2.10. Procedure to edit a ruleset
        • 7.3.2.11. Procedure to export a ruleset
        • 7.3.2.12. Procedure to update a ruleset
      • 7.3.3. Updating rules sources
        • 7.3.3.1. Introduction
        • 7.3.3.2. Links associated
        • 7.3.3.3. Prerequisites
        • 7.3.3.4. Preliminary operations
        • 7.3.3.5. Procedure to open the `Rulesets` window
        • 7.3.3.6. Procedure to update all sources defined in a ruleset
        • 7.3.3.7. Procedure to update all sources defined in the GCenter
      • 7.3.4. Modifying SIGFLOW engine rules
        • 7.3.4.1. Introduction
          • 7.3.4.1.1. Transform rule
            • 7.3.4.1.1.1. Concept
            • 7.3.4.1.1.2. Parameters
          • 7.3.4.1.2. Threshold rule
          • 7.3.4.1.3. Suppress rule
        • 7.3.4.2. Links associated
        • 7.3.4.3. Prerequisites
        • 7.3.4.4. Preliminary operations
        • 7.3.4.5. Procedure to open the `Rulesets` window
        • 7.3.4.6. Procedure to setup a transformation rule
        • 7.3.4.7. Procedure to disable a rule
        • 7.3.4.8. Procedure to enable a rule
        • 7.3.4.9. Procedure to setup a threshold rule
        • 7.3.4.10. Procedure to setup a suppress rule
      • 7.3.5. Creation of automatic alarm limits
        • 7.3.5.1. Introduction
          • 7.3.5.1.1. Removing or limiting the number of alerts
        • 7.3.5.2. Links associated
        • 7.3.5.3. Prérequis
        • 7.3.5.4. Opérations préliminaires
        • 7.3.5.5. Procedure to access to the `Auto-threshold` window
        • 7.3.5.6. Procedure to create automatically thresholds using the presets profile
        • 7.3.5.7. Procedure to create automatically thresholds using the custom profile
    • 7.4. Configuring GCaps using the `GCaps Profiles`
      • 7.4.1. Configuring the detection rulesets via a GCap profile
        • 7.4.1.1. Introduction
        • 7.4.1.2. Links associated
        • 7.4.1.3. Prerequisites
        • 7.4.1.4. Preliminary operations
        • 7.4.1.5. Procedure to open the `GCaps profiles` window
        • 7.4.1.6. Procedure to setup the `single-tenant`
        • 7.4.1.7. Procedure to setup the `Multi-tenant by interface`
        • 7.4.1.8. Procedure to setup the `Multi-tenant by VLAN`
      • 7.4.2. Configuring the Base variables parameters via the GCap profile
        • 7.4.2.1. Introduction
        • 7.4.2.2. Links associated
        • 7.4.2.3. Prerequisites
        • 7.4.2.4. Preliminary operations
        • 7.4.2.5. Procedure to open the `Base variables` window
        • 7.4.2.6. Procedure to change the reconstruction size of files
        • 7.4.2.7. Procedure to change the HTTP Proxy parameters
        • 7.4.2.8. Procedure to configure the fields present in the events
        • 7.4.2.9. Procedure to configure the `Community ID` parameters
        • 7.4.2.10. Procedure to configure the alerting and logging protocols
      • 7.4.3. Configuring the network variables parameters via the GCap profile
        • 7.4.3.1. Introduction
        • 7.4.3.2. Links associated
        • 7.4.3.3. Prerequisites
        • 7.4.3.4. Preliminary operations
        • 7.4.3.5. Procedure to open the `GCaps profiles` window
        • 7.4.3.6. Procedure to setup the network variables
      • 7.4.4. Configuring the flow timeouts via the GCap profile
        • 7.4.4.1. Introduction
        • 7.4.4.2. Links associated
        • 7.4.4.3. Prerequisites
        • 7.4.4.4. Preliminary operations
        • 7.4.4.5. Procedure to open the `GCaps profiles` window
        • 7.4.4.6. Procedure to setup the flow timeouts
      • 7.4.5. Configuring the file reconstruction rules via the GCap profile
        • 7.4.5.1. Introduction
        • 7.4.5.2. Links associated
        • 7.4.5.3. Prerequisites
        • 7.4.5.4. Preliminary operations
        • 7.4.5.5. Procedure to open the `File rules` window
        • 7.4.5.6. Procedure to set up the file reconstruction by using the Gcenter Webui
        • 7.4.5.7. Procedure to set up the file reconstruction by using the csv editor
        • 7.4.5.8. Procedure to save the current configuration
        • 7.4.5.9. Procedure to load a saved configuration
        • 7.4.5.10. Procedure to add a rebuilding rule
      • 7.4.6. Configuring filters on targeted parts of the analyzed traffic via the GCap profile
        • 7.4.6.1. Introduction
        • 7.4.6.2. Links associated
        • 7.4.6.3. Prerequisites
        • 7.4.6.4. Preliminary operations
        • 7.4.6.5. Procedure to open the `Packet filters` window
        • 7.4.6.6. Procedure to set up the filter
        • 7.4.6.7. Procedure to configure the VLAN
    • 7.5. Analysing the engine alerts
      • 7.5.1. Analysing the Malcore alerts
        • 7.5.1.1. Introduction
          • 7.5.1.1.1. Management of the Malcore engine
          • 7.5.1.1.2. Events generated by the engine
          • 7.5.1.1.3. Essential information to understand the context of the alert
            • 7.5.1.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.1.2. Alert handling procedure
          • 7.5.1.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.1.2.2. How to categorize the threat based on the information collected?
          • 7.5.1.2.3. What answers are needed if the threat is confirmed?
          • 7.5.1.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.2. Analysing the Shellcode detect alerts
        • 7.5.2.1. Introduction
          • 7.5.2.1.1. Management of the Shellcode Detect engine
          • 7.5.2.1.2. Events generated by the engine
          • 7.5.2.1.3. Essential information to understand the context of the alert
            • 7.5.2.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.2.2. Alert handling procedure
          • 7.5.2.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.2.2.2. How to categorize the threat based on the information collected?
          • 7.5.2.2.3. What answers are needed if the threat is confirmed?
          • 7.5.2.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.3. Analysing the Malicious Powershell Detect alerts
        • 7.5.3.1. Introduction
          • 7.5.3.1.1. How does this particular engine detect threats?
          • 7.5.3.1.2. How does Malicious Powershell Detect engine work in the GCenter?
            • 7.5.3.1.2.1. Malicious Powershell Detect engine input data
          • 7.5.3.1.3. Management of the Malicious Powershell Detect engine
          • 7.5.3.1.4. Events generated by the engine
          • 7.5.3.1.5. Essential information to understand the context of the alert
            • 7.5.3.1.5.1. What are the key fields of an alert and their meaning?
        • 7.5.3.2. Alert handling procedure
          • 7.5.3.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.3.2.2. How to categorize the threat based on the information collected?
          • 7.5.3.2.3. What answers are needed if the threat is confirmed?
          • 7.5.3.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.4. Analysing the Sigflow alerts
        • 7.5.4.1. Introduction
          • 7.5.4.1.1. Management of the Sigflow engine
          • 7.5.4.1.2. Events generated by the engine
            • 7.5.4.1.2.1. Events of type "alert"
            • 7.5.4.1.2.2. Events of type "fileinfo"
            • 7.5.4.1.2.3. Events of type "metadata"
          • 7.5.4.1.3. Essential information to understand the context of the alert
            • 7.5.4.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.4.2. Alert handling procedure
          • 7.5.4.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.4.2.2. How to categorize the threat based on the information collected?
          • 7.5.4.2.3. What answers are needed if the threat is confirmed?
          • 7.5.4.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.5. Analysing the DGA detect alerts
        • 7.5.5.1. Introduction
          • 7.5.5.1.1. Management of the DGA Detect engine
          • 7.5.5.1.2. Events generated by the engine
          • 7.5.5.1.3. Essential information to understand the context of the alert
            • 7.5.5.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.5.2. Alert handling procedure
          • 7.5.5.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.5.2.2. How to categorize the threat based on the information collected?
          • 7.5.5.2.3. What answers are needed if the threat is confirmed?- a verifier
          • 7.5.5.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.6. Analysing the Malcore retroanalyzer alerts
        • 7.5.6.1. Introduction
          • 7.5.6.1.1. Management of the Malcore retroanalyzer engine
          • 7.5.6.1.2. Events generated by the engine
          • 7.5.6.1.3. Essential information to understand the context of the alert
      • 7.5.7. Analysing the Active CTI alerts
        • 7.5.7.1. Introduction
          • 7.5.7.1.1. Management of the Active CTI engine
          • 7.5.7.1.2. Events generated by the engine
          • 7.5.7.1.3. Essential information to understand the context of the alert
            • 7.5.7.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.7.2. Alert handling procedure
          • 7.5.7.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.7.2.2. How to categorize the threat based on the information collected?
          • 7.5.7.2.3. What answers are needed if the threat is confirmed?
          • 7.5.7.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.8. Analysing the Retro hunt alerts
        • 7.5.8.1. Introduction
          • 7.5.8.1.1. Management of the Retro hunt engine
          • 7.5.8.1.2. Events generated by the engine
          • 7.5.8.1.3. Essential information to understand the context of the alert
            • 7.5.8.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.8.2. Alert handling procedure
          • 7.5.8.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
        • 7.5.8.3. Alert handling procedure
          • 7.5.8.3.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.8.3.2. How to categorize the threat based on the information collected?
          • 7.5.8.3.3. What answers are needed if the threat is confirmed?
          • 7.5.8.3.4. What answers are needed if the threat is confirmed?
          • 7.5.8.3.5. What if an alert from this engine is identified as a false positive?
      • 7.5.9. Analysing the Ransomware detect alerts
        • 7.5.9.1. Introduction
          • 7.5.9.1.1. Management of the Ransomware detect engine
          • 7.5.9.1.2. Events generated by the engine
          • 7.5.9.1.3. Essential information to understand the context of the alert
            • 7.5.9.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.9.2. Alert handling procedure
          • 7.5.9.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.9.2.2. How to categorize the threat based on the information collected?
          • 7.5.9.2.3. What answers are needed if the threat is confirmed?
          • 7.5.9.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.10. Analysing the Beacon Detect alerts
        • 7.5.10.1. Introduction
          • 7.5.10.1.1. Management of the Beacon Detect engine
          • 7.5.10.1.2. Events generated by the engine
          • 7.5.10.1.3. Essential information to understand the context of the alert
            • 7.5.10.1.3.1. What are the key fields of an alert and their meaning in the webui?
            • 7.5.10.1.3.2. What are the key fields of an alert and their meaning in Kibana?
        • 7.5.10.2. Alert handling procedure
          • 7.5.10.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.10.2.2. How to categorize the threat based on the information collected?
          • 7.5.10.2.3. What answers are needed if the threat is confirmed?
          • 7.5.10.2.4. What if an alert from this engine is identified as a false positive?
      • 7.5.11. Analysing the Yara alerts
        • 7.5.11.1. Introduction
          • 7.5.11.1.1. Management of the Yara engine
          • 7.5.11.1.2. Events generated by the engine
          • 7.5.11.1.3. Essential information to understand the context of the alert
            • 7.5.11.1.3.1. What are the key fields of an alert and their meaning?
        • 7.5.11.2. ALERT HANDLING PROCEDURE
          • 7.5.11.2.1. How do you verify the accuracy of an alert and determine if it represents a real threat?
          • 7.5.11.2.2. What answers are needed if the threat is confirmed?
    • 7.6. Using of NDR dashboards
      • 7.6.1. Introduction
      • 7.6.2. Links associated
      • 7.6.3. Prerequisites
      • 7.6.4. Preliminary operations
      • 7.6.5. Procedure to retrieve information related to an alert
      • 7.6.6. Procedure to process the equipment
      • 7.6.7. Procedure to process the users
      • 7.6.8. Procedure to manage association rules
      • 7.6.9. Procedure to analyze the relationship between equipment and users
    • 7.7. Using of the Kibana dashboards
      • 7.7.1. Introduction
      • 7.7.2. Links associated
      • 7.7.3. Prerequisites
      • 7.7.4. Preliminary operations
      • 7.7.5. Procedure introducing the Kibana investigation method
    • 7.8. Detecting with Gscan
      • 7.8.1. Introduction
      • 7.8.2. Links associated
      • 7.8.3. Prerequisites
      • 7.8.4. Preliminary operations
      • 7.8.5. Procedure
      • 7.8.6. Ex post facto search procedure
      • 7.8.7. Procedure to view the history
    • 7.9. Configuring Metadata Rate Limiters
      • 7.9.1. Introduction
      • 7.9.2. Links associated
      • 7.9.3. Prerequisites
      • 7.9.4. Preliminary operations
      • 7.9.5. Procedure to view metadata
      • 7.9.6. Procedure to setup the limiter then activate
    • 7.10. Logging out of the GCenter web interface
      • 7.10.1. Introduction
      • 7.10.2. Prerequisites
      • 7.10.3. Preliminary operations
      • 7.10.4. Procedure
  • 8. Use cases of the administrator level
    • 8.1. Connecting to the GCenter web interface via a web browser
      • 8.1.1. Introduction
      • 8.1.2. Prerequisites
      • 8.1.3. Preliminary operations
      • 8.1.4. Procedure
    • 8.2. Configuring the NDR
      • 8.2.1. Introduction
        • 8.2.1.1. The `Assets and users tracking` and `Relationship tracking` functions
        • 8.2.1.2. Elasticsearch retention period
      • 8.2.2. Prerequisites
      • 8.2.3. Preliminary operations
      • 8.2.4. Procedure to access the `Data Exports` window for an administrator account
      • 8.2.5. Procedure to enable the `Assets and users tracking` and `Relationship tracking` functions
      • 8.2.6. Procedure to disable the `Assets and users tracking` and `Relationship tracking` functions
      • 8.2.7. Procedure to configure the Elasticsearch retention time
    • 8.3. Administrating a GCap
      • 8.3.1. Pairing a GCap with the GCenter
        • 8.3.1.1. Introduction
        • 8.3.1.2. Links associated
        • 8.3.1.3. Prerequisites
        • 8.3.1.4. Preliminary operations
        • 8.3.1.5. Procedure to set the GCenter IP on the GCap
        • 8.3.1.6. Procedure to access the `GCaps pairing` window for an administrator account
        • 8.3.1.7. Procedure to set the compatibility mode on the GCap
        • 8.3.1.8. Procedure to declare the GCap in the GCenter
        • 8.3.1.9. Procedure to pair the GCap and the GCenter
      • 8.3.2. Pairing again a GCap
        • 8.3.2.1. Introduction
        • 8.3.2.2. Links associated
        • 8.3.2.3. Prerequisites
        • 8.3.2.4. Preliminary operations
        • 8.3.2.5. Procedure to access the `GCaps pairing` window for an administrator account
        • 8.3.2.6. Procedure
    • 8.4. Managing the GCenter backup and restoration
      • 8.4.1. Setting the backup
        • 8.4.1.1. Introduction
        • 8.4.1.2. Links associated
        • 8.4.1.3. Prerequisites
        • 8.4.1.4. Preliminary operations
        • 8.4.1.5. Procedure to access the `Backup Configuration` screen
        • 8.4.1.6. Procedure to enable backup scheduling
        • 8.4.1.7. Procedure to setup the backup
      • 8.4.2. Operating the backup
        • 8.4.2.1. Introduction
        • 8.4.2.2. Links associated
        • 8.4.2.3. Prerequisites
        • 8.4.2.4. Preliminary operations
        • 8.4.2.5. Procedure to operate a manual backup
      • 8.4.3. Operating the restoration
        • 8.4.3.1. Introduction
        • 8.4.3.2. Prerequisites
        • 8.4.3.3. Preliminary operations
        • 8.4.3.4. Procedure to access the restoration interface
        • 8.4.3.5. Procedure to follow the upgrade and hotfix paths
          • 8.4.3.5.1. Procedure to restore a backup to the same GCenter
          • 8.4.3.5.2. Procedure to restore a backup from the user pc
          • 8.4.3.5.3. Procedure to restore a backup to another blank GCenter
    • 8.5. Managing of the GCenter software
      • 8.5.1. Configuring automatic update of signatures and/or anti-viral engines
        • 8.5.1.1. Introduction
        • 8.5.1.2. Links associated
        • 8.5.1.3. Prerequisites
        • 8.5.1.4. Preliminary operations
        • 8.5.1.5. Procedure to access the `Settings` screen
        • 8.5.1.6. Procedure to setup the Online Mode
        • 8.5.1.7. Procedure to setup the Local mode
      • 8.5.2. Installing an update manually
        • 8.5.2.1. Introduction
        • 8.5.2.2. Links associated
        • 8.5.2.3. Prerequisites
        • 8.5.2.4. Preliminary operations
        • 8.5.2.5. Procedure
      • 8.5.3. Installing a hotfix
        • 8.5.3.1. Introduction
        • 8.5.3.2. Links associated
        • 8.5.3.3. Prerequisites
        • 8.5.3.4. Preliminary operations
        • 8.5.3.5. Procedure
      • 8.5.4. Installing of an upgrade
        • 8.5.4.1. Introduction
        • 8.5.4.2. Links associated
        • 8.5.4.3. Prerequisites
        • 8.5.4.4. Preliminary operations
        • 8.5.4.5. Procedure to apply a GCenter upgrade
        • 8.5.4.6. Procedure to apply a GCap upgrade
    • 8.6. Managing user accounts
      • 8.6.1. Creating local users
        • 8.6.1.1. Introduction
        • 8.6.1.2. Links associated
        • 8.6.1.3. Prerequisites
        • 8.6.1.4. Preliminary operations
        • 8.6.1.5. Procedure to access the `Users management` screen
        • 8.6.1.6. Procedure to create a new user
      • 8.6.2. Changing some of a local user's information
        • 8.6.2.1. Introduction
        • 8.6.2.2. Links associated
        • 8.6.2.3. Prerequisites
        • 8.6.2.4. Preliminary operations
        • 8.6.2.5. Procedure to access to the `Users management` window
        • 8.6.2.6. Procedure to change certain user information
      • 8.6.3. Resetting a local user's password
        • 8.6.3.1. Introduction
        • 8.6.3.2. Links associated
        • 8.6.3.3. Prerequisites
        • 8.6.3.4. Preliminary operations
        • 8.6.3.5. Procedure to access to the `Users management` window
        • 8.6.3.6. Procedure to reset a user's password
      • 8.6.4. Deleting a local user
        • 8.6.4.1. Introduction
        • 8.6.4.2. Links associated
        • 8.6.4.3. Prerequisites
        • 8.6.4.4. Preliminary operations
        • 8.6.4.5. Procedure to access to the `Users management` window
        • 8.6.4.6. Procedure to delete local user
      • 8.6.5. Displaying of the connection status between the GCenter and the LDAP server
        • 8.6.5.1. Introduction
        • 8.6.5.2. Links associated
        • 8.6.5.3. Prerequisites
        • 8.6.5.4. Preliminary operations
        • 8.6.5.5. Procedure to access to the `LDAP configuration` window
        • 8.6.5.6. Procedure to view the status (a verifier)
      • 8.6.6. Enable the connection between the GCenter and the LDAP server
        • 8.6.6.1. Introduction
        • 8.6.6.2. Links associated
        • 8.6.6.3. Prerequisites
        • 8.6.6.4. Preliminary operations
        • 8.6.6.5. Procedure to enable the LDAP functionality
      • 8.6.7. Configuring the connection between the GCenter and the LDAP server
        • 8.6.7.1. Introduction
        • 8.6.7.2. Links associated
        • 8.6.7.3. Prerequisites
        • 8.6.7.4. Preliminary operations
        • 8.6.7.5. Procedure to access to the `LDAP configuration` area
        • 8.6.7.6. Procedure to enter the settings of the `LDAP server binding settings` area
        • 8.6.7.7. Procedure to enter the settings of the `LDAP advanced settings` area
        • 8.6.7.8. Procedure to finish the settings
      • 8.6.8. Configuring the users and groups defined on LDAP / ActiveDirectory
        • 8.6.8.1. Introduction
        • 8.6.8.2. Links associated
        • 8.6.8.3. Prerequisites
        • 8.6.8.4. Preliminary operations
        • 8.6.8.5. Procedure to access to the `LDAP configuration` area
        • 8.6.8.6. Procedure to enter the settings of the `LDAP users and groups mapping` area
      • 8.6.9. Viewing the authentication history
        • 8.6.9.1. Introduction
        • 8.6.9.2. Links associated
        • 8.6.9.3. Prerequisites
        • 8.6.9.4. Preliminary operations
        • 8.6.9.5. Procedure to access to the `History` window
        • 8.6.9.6. Procedure to explore history events in Kiban
      • 8.6.10. Managing an API access token
        • 8.6.10.1. Introduction
        • 8.6.10.2. Links associated
        • 8.6.10.3. Prerequisites
        • 8.6.10.4. Preliminary operations
        • 8.6.10.5. Procedure to access to the `API keys` window
        • 8.6.10.6. Procedure to view the current API keys
        • 8.6.10.7. Procedure to add a new API key
        • 8.6.10.8. Procedure to delete a new API key
      • 8.6.11. Managing the password policy
        • 8.6.11.1. Introduction
        • 8.6.11.2. Links associated
        • 8.6.11.3. Prerequisites
        • 8.6.11.4. Preliminary operations
        • 8.6.11.5. Procedure to access to the `Password policy` window
        • 8.6.11.6. Procedure to enable the password expiration
        • 8.6.11.7. Procedure to enable the Password policy
        • 8.6.11.8. Procedure to active the Password reuse
        • 8.6.11.9. Procedure to active the Anti-bruteforce protection
    • 8.7. Configuring the detection engine
      • 8.7.1. Setting up the Malcore engine
        • 8.7.1.1. Introduction
        • 8.7.1.2. Links associated
        • 8.7.1.3. Prerequisites
        • 8.7.1.4. Preliminary operations
        • 8.7.1.5. Procedure to access the `Malcore` window
        • 8.7.1.6. Procedure to setup the analysis timeout
        • 8.7.1.7. Procedure to change the analysis limits
      • 8.7.2. Managing the `Ignore list` of the Malcore engine
        • 8.7.2.1. Introduction
        • 8.7.2.2. Links associated
        • 8.7.2.3. Prerequisites
        • 8.7.2.4. Preliminary operations
        • 8.7.2.5. Procedure to access the `Malcore` window
        • 8.7.2.6. Procedure to manage the Ignored files list based on SHA256
        • 8.7.2.7. Procedure to manage the Ignored files list based on filenames
      • 8.7.3. Setting up the Malcore retroanalyzer engine
        • 8.7.3.1. Introduction
        • 8.7.3.2. Links associated
        • 8.7.3.3. Prerequisites
        • 8.7.3.4. Preliminary operations
        • 8.7.3.5. Procedure to access to the `Malcore retroanalyzer` window
        • 8.7.3.6. Procedure to enable the engine
        • 8.7.3.7. Procedure to disable the engine
      • 8.7.4. Setting up the Yara engine
        • 8.7.4.1. Introduction
        • 8.7.4.2. Links associated
        • 8.7.4.3. Prerequisites
        • 8.7.4.4. Preliminary operations
        • 8.7.4.5. Procedure to access the `YARA engine` window
        • 8.7.4.6. Procedure to enable the engine
        • 8.7.4.7. Procedure to manage the current ruleset
        • 8.7.4.8. Procedure to disable the engine
      • 8.7.5. Setting up the Dga detect engine
        • 8.7.5.1. Introduction
        • 8.7.5.2. Links associated
        • 8.7.5.3. Prerequisites
        • 8.7.5.4. Preliminary operations
        • 8.7.5.5. Procedure to access to the `Dga` window
        • 8.7.5.6. Procedure to enable the engine
        • 8.7.5.7. Procedure to set the engine sensitivity
        • 8.7.5.8. Procedure to disable the engine
      • 8.7.6. Managing the `Ignore list` of the Dga detect engine
        • 8.7.6.1. Introduction
        • 8.7.6.2. Links associated
        • 8.7.6.3. Prerequisites
        • 8.7.6.4. Preliminary operations
        • 8.7.6.5. Procedure to access to the `Domain Name Generation (DGA) Detection Management` window
        • 8.7.6.6. Procedure to add an item to the `Ignore list`
        • 8.7.6.7. Procedure to delete an item to the `Ignore list`
      • 8.7.7. Setting up the Malicious Powershell detect engine
        • 8.7.7.1. Introduction
        • 8.7.7.2. Links associated
        • 8.7.7.3. Prerequisites
        • 8.7.7.4. Preliminary operations
        • 8.7.7.5. Procedure to access the `Malicious powershell detect` window
        • 8.7.7.6. Procedure to enable the engine
        • 8.7.7.7. Procedure to disable the engine
      • 8.7.8. Setting up the Shellcode detect engine
        • 8.7.8.1. Introduction
        • 8.7.8.2. Links associated
        • 8.7.8.3. Prerequisites
        • 8.7.8.4. Preliminary operations
        • 8.7.8.5. Procedure to access the `Shellcode detect` window
        • 8.7.8.6. Procedure to enable the engine
        • 8.7.8.7. Procedure to disable the engine
      • 8.7.9. Setting up the Active CTI engine
        • 8.7.9.1. Introduction
        • 8.7.9.2. Links associated
        • 8.7.9.3. Prerequisites
        • 8.7.9.4. Preliminary operations
        • 8.7.9.5. Procedure to access the `Active CTI` window
        • 8.7.9.6. Procedure to enable the engine
        • 8.7.9.7. Procedure to setup the IOC retention duration
        • 8.7.9.8. Procedure to disable the engine
      • 8.7.10. Setting up the retro hunt engine
        • 8.7.10.1. Introduction
        • 8.7.10.2. Links associated
        • 8.7.10.3. Prerequisites
        • 8.7.10.4. Preliminary operations
        • 8.7.10.5. Procedure to access the `Retro Hunt` window
        • 8.7.10.6. Procedure to enable the engine
        • 8.7.10.7. Procedure to disable the engine
      • 8.7.11. Setting up the Ransomware detect engine
        • 8.7.11.1. Introduction
        • 8.7.11.2. Links associated
        • 8.7.11.3. Prerequisites
        • 8.7.11.4. Preliminary operations
        • 8.7.11.5. Procedure to access the `Ransomware detect` window
        • 8.7.11.6. Procedure to enable the engine
        • 8.7.11.7. Procedure to disable the engine
      • 8.7.12. Managing the `Ignore list` of the Ransomware detect
        • 8.7.12.1. Introduction
        • 8.7.12.2. Links associated
        • 8.7.12.3. Prérequis
        • 8.7.12.4. Preliminary operations
        • 8.7.12.5. Procedure to access the `Ransomware detect` window
        • 8.7.12.6. Procedure to manage the `Ignore list`
      • 8.7.13. Setting up the beacon detect engine
        • 8.7.13.1. Introduction
        • 8.7.13.2. Links associated
        • 8.7.13.3. Prerequisites
        • 8.7.13.4. Preliminary operations
        • 8.7.13.5. Procedure to access the `Beacon detect` window
        • 8.7.13.6. Procedure to enable the engine
        • 8.7.13.7. Procedure to disable the engine
      • 8.7.14. Managing the `Ignore list` of the Beacon detect
        • 8.7.14.1. Introduction
        • 8.7.14.2. Links associated
        • 8.7.14.3. Prérequis
        • 8.7.14.4. Opérations préliminaires
        • 8.7.14.5. Procedure to access the `Beacon detect` window
        • 8.7.14.6. Procedure to manage the `Ignore list`
    • 8.8. GCenter Configuration Management
      • 8.8.1. Licence amendment
        • 8.8.1.1. Introduction
        • 8.8.1.2. Links associated
        • 8.8.1.3. Prerequisites
        • 8.8.1.4. Preliminary operations
        • 8.8.1.5. Procedure to access to the `License` screen
        • 8.8.1.6. Procedure to enter a new licence
        • 8.8.1.7. Procedure to enter a new CTI licence
    • 8.9. Managing current user
      • 8.9.1. Changing the current account password
        • 8.9.1.1. Introduction
        • 8.9.1.2. Links associated
        • 8.9.1.3. Prerequisites
        • 8.9.1.4. Preliminary operations
        • 8.9.1.5. Procedure
      • 8.9.2. Changing some of the current user's information
        • 8.9.2.1. Introduction
        • 8.9.2.2. Links associated
        • 8.9.2.3. Prerequisites
        • 8.9.2.4. Preliminary operations
        • 8.9.2.5. Procedure
    • 8.10. Logging out of the GCenter web interface
      • 8.10.1. Introduction
      • 8.10.2. Prerequisites
      • 8.10.3. Preliminary operations
      • 8.10.4. Procedure
  • 9. Appendices
    • 9.1. Military Programming Law (MPL)
      • 9.1.1. Regulatory reminders
      • 9.1.2. Goal Reminders
      • 9.1.3. Reminders of requirements
      • 9.1.4. MPL applied to GCenter
        • 9.1.4.1. Automatic actions
          • 9.1.4.1.1. USB Port
        • 9.1.4.2. Manual actions
          • 9.1.4.2.1. No connection between GCenter and an LDAP
          • 9.1.4.2.2. Deactivation of remote control console interface
          • 9.1.4.2.3. Network interface separation
          • 9.1.4.2.4. Update in "Offline" mode
            • 9.1.4.2.4.1. Certificate integration
      • 9.1.5. Groups
        • 9.1.5.1. Mission of a member of the operator group
        • 9.1.5.2. Mission of a member of the administrator group
    • 9.2. Engine log data structure
      • 9.2.1. Counters of the header part of logs
      • 9.2.2. Counters of the source part of logs
        • 9.2.2.1. dga category
        • 9.2.2.2. destination category
        • 9.2.2.3. ecs category
        • 9.2.2.4. event category
        • 9.2.2.5. file category
        • 9.2.2.6. flow category
        • 9.2.2.7. HTTP category
        • 9.2.2.8. ioc category
        • 9.2.2.9. malcore category
        • 9.2.2.10. malcore_retroanalyzer category
        • 9.2.2.11. malicious_powershell category
        • 9.2.2.12. matched_event category
        • 9.2.2.13. metadata category
        • 9.2.2.14. network category
        • 9.2.2.15. observer category
        • 9.2.2.16. shellcode category
        • 9.2.2.17. sigflow category
        • 9.2.2.18. source category
        • 9.2.2.19. @timestamp category
        • 9.2.2.20. @version category
        • 9.2.2.21. url category
        • 9.2.2.22. user_agent category
        • 9.2.2.23. DNS events
        • 9.2.2.24. HTTP2 events
        • 9.2.2.25. TLS events
        • 9.2.2.26. SMTP events
        • 9.2.2.27. SMB events
        • 9.2.2.28. NFS events
        • 9.2.2.29. FTP events
        • 9.2.2.30. TFTP events
        • 9.2.2.31. SSH events
        • 9.2.2.32. krb5 events
        • 9.2.2.33. DHCP events
        • 9.2.2.34. SNMP events
        • 9.2.2.35. RDP events
        • 9.2.2.36. RFB events
        • 9.2.2.37. IKEV2 events
        • 9.2.2.38. SIP events
        • 9.2.2.39. DNP3 events
        • 9.2.2.40. DCERPC events
        • 9.2.2.41. MQTT events
        • 9.2.2.42. ransomware events
        • 9.2.2.43. beacon events
        • 9.2.2.44. nba events
        • 9.2.2.45. tcp events
        • 9.2.2.46. ether events
      • 9.2.3. Malcore engine results
  • 10. Glossary
  • Index
GCenter Documentation V103
  • 7. Use cases at the operator or analyst level

7. Use cases at the operator or analyst level

  • 7.1. Connection to the GCenter web interface via a web browser
  • 7.2. Managing current user
  • 7.3. Configuring the Sigflow engine
  • 7.4. Configuring GCaps using the `GCaps Profiles`
  • 7.5. Analysing the engine alerts
  • 7.6. Using of NDR dashboards
  • 7.7. Using of the Kibana dashboards
  • 7.8. Detecting with Gscan
  • 7.9. Configuring Metadata Rate Limiters
  • 7.10. Logging out of the GCenter web interface
Précédent Suivant

© Copyright December 2024, Gatewatcher.