Alerts Explorer

ntopng alerts are:

• Evaluated with Behavioural Checks for pools of hosts, interfaces, SNMP devices, and other network elements
• Delivered to recipients using type- or severity-based criteria

Contrary to tools based on signatures, ntopng is a behavioural-based tool. Below you can read more about available behavioural checks and how alerts are delivered to recipients.

Alerts triggered by ntopng are stored in a databased (SQLite or ClickHouse) and can be visualized and managed using the built-in Alerts Explorer, in addition to delivering them to external endpoints by using DeliveringAlertsToRecipients.

Alerts are organized in the Alerts Explorer according to the entity (subject for which the alert has been generated), whose list includes Host, Interface, Network, Flow, etc. as described in Alerts.

Alerts can be just triggered as one-shot, or can have a duration, that is, they are active for a certain period of time (in the engaged state). This period of time starts when a condition is verified (e.g. a threshold is met) and stops when the condition is no longer verified (and alerts are moved in the past state). For this reason, such alerts are said to be engaged or past, depending on whether the triggering threshold is still met or not. Alerts on flows are always one-shot.

• Engaged Alerts
• Past Alerts
• Flow Alerts
• Alerts Filters
• Custom Queries
• Mitre Classification
  • Mitre ATT&CK Framework Integration
  • Security Report
  • Alerts Explorer
  • Alert Details
• Remediations
  • Remediations for nDPI Risks
  • Remediations for ntopng Flow Risks
  • Remediations for ntopng Risks
  • Remediations for Host Risks