Community Blog

april-14.jpg

Top Security Report #6 - Threat Protection - Top Rules by Source

This blog discusses the report #6 in a series of seven top security reports that can help you defend against bad actors.

 

Here are the previous parts: part 1, part 2.

 

Infoblox Out-of-the-Box Report Threat Protection - Top Rules by Source

 

This report lists the top source IP addresses that trip each threat rule as identified through ADP threat intelligence.  For network teams, this report gives visibility to which devices on the network are doing bad things or impacting network performance, so you can take corrective action like shutting-off the port or removing the device from the network.  For security teams, it provides visibility when there is trouble on the network, so the admin can intervene with the system manager, initiate a virus scan, or pursue a variety of other actions.  It also enables admins to tune the threat rule thresholds for which traffic they want to allow or block.  A typical security use case is when an admin suspects that a client device is infected with malware, and they need to conduct a forensic investigation to determine what the malware is doing within the DNS infrastructure and determine the malware attack methodology and frequency.

 

Top Report #6: Threat Protection

Top Rules by Source

Service Area

Infrastructure Protection

Purpose

Lists the top source IPs hitting each threat rule

Primary User

Network & Security Admins

Importance

Identifies clients that are attacking the server the most & the rules they trigger, & enables admins to tune rule thresholds better

Use Case

A security admin knows a client is infected by malware, but to drill deeper into malware forensics, this report shows the malware attack methodologies and frequencies

Available

Out-of-the-box & requires Advanced Data Protection (ADP)

 

This report is accessed through the security dashboard and requires ADP.  It includes filters for time, top number of rules, a counter, members, source IP address, rule names, source port and viewing options by bar chart, table or both.  The report then displays the source IP, the number of logged events associated to that IP, the top security rules by name that were violated, and when they last tripped those rules.  This provides the visibility and forensic capability needed to identify bad actors, see what they’re doing, the security rules they’re breaking and the impacts they’ve had on the network, so the admin can modify the rules and take quick, corrective action.

 

security report 6.png

 

Here are the seven (7) security reports that can give you an edge over the bad actors.

Learn more:

  • Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
  • As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.

Showing results for 
Search instead for 
Do you mean