Introduction to Events

Events are the backbone of your cybersecurity operation. Events record everything taking place in your infrastructure. F5 Distributed Cloud App Infrastructure Protection (AIP) ingests events and assists you in creating a baseline normal, everyday activity. If an event deviates from the baseline, then a rule triggers an alert to tell you about potentially malicious activity. Events, therefore, are critical to protecting your infrastructure.

What Is an Event?

Events are individual actions that take place within your infrastructure. Events contain metadata related to the action, such as an event identification (ID), the date and time the event took place, and the action taken – for example, command or exe. See Overview: Events Feature for a specific list of the types of events that Distributed Cloud AIP ingests.

You apply rules to events as they enter your Distributed Cloud AIP environment. If the metadata in the event matches an applied rule, then an alert triggers. Distributed Cloud AIP ties the event to the alert, which makes it easier to identify the source of potentially anomalous behavior in your infrastructure.

Where Do I Find Events in the Distributed Cloud AIP Application?

Events display on the Events tab on the left navigation pane.

events-tab.png

Why Do I See Events in Distributed Cloud AIP?

The events you see in Distributed Cloud AIP record actions that take place in your infrastructure. The amount of time that Distributed Cloud AIP retains an event depends on if it is a raw or contributing event.

  • Raw events – All events ingested by Distributed Cloud AIP. Distributed Cloud AIP retains raw events according to your company’s retention policy – a period of one to three days.
  • Contributing events – Events that trigger alerts. Distributed Cloud AIP retains contributing events for one calendar year from the date of the triggered alert.

Related Articles

Was this article helpful?
0 out of 0 found this helpful