02-13-2018 06:32 AM
I am unable to find a reliable way to report on blocks that come from the Threat Analytics engine. The closest thing to seeing the individual blocks is the main Security Dashboard if I have "Threat Analytics Status for Grid". Within the Reporting engine, I cannot find a report or dashboard that shows when these blocks are happening.
Is this possible to do?
02-13-2018 09:18 PM
Have you already tried DNS Top Tunneling Activity/DNS Tunneling Traffic by Category/ Top Malware and DNS Tunneling Events by Client/ DNS RPZ Hits Trend By Mitigation Action pre-defined reports to see if that fits your requirement ? If yes, could you please specify what exact piece of data are you looking for, which is missing from these reports ?
02-14-2018 06:38 AM
Yes, I've tried all of those reports. They do not show any data, which I am now thinking I do not have something enabled within my Grid to get these reports. I have Security Data Indexing enabled within the reporting properties. Does "Security" need to be checked within the Grid DNS properties under the Logging tab as well to generate this data?
02-14-2018 02:28 PM
You don’t have to enable the ‘Security’ logging for DNS, to get the ‘Security’ index data forwarded to the indexer & it doesn’t make a difference either. If you have verified that ‘Security’ category is enabled at the Grid reporting properties with an appropriate index % & if the member indeed is receiving tunnelling/RPZ hits, I would expect these reports to be generated. Can you please check the following :
- Grid -> Reporting -> Select the DNS server in question -> Ensure that ‘Security’ category is still enabled & it is configured to forward data to the reporting server ?
- Just to rule out the possibility of a general data forwarding issue from forwarder to the indexer, can you check some other reports like ‘CPU Utilization Trend/ Memory Utilization Trend’(In case if you are forwarding ‘System Utilization’ category from this forwarder) report for the recent date & ensure that it does have the latest set of data for this DNS server ?
- If not, please start a traffic capture on this DNS server & the reporting server simultaneously to confirm bidirectional communication.
If the other report shows up as expected, but not the reports for ‘Security’ category, I would recommend filing a case with Infoblox support to investigate the issue by analysing your configuration/data.