Versions Compared

Old Version 2

changes.mady.by.user Jyothi KP

Saved on

compared with

New Version 3

changes.mady.by.user Jyothi KP

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After you set up a dedicated reporting appliance in your Grid, you must configure the Grid reporting properties so you can communicate with the reporting appliance and retrieve report data through the Grid Master. In addition, you must select the correct report categories in order for the reporting server to generate the correct data in corresponding reports, as described in Configuring Grid Reporting Properties below.
By default, only superusers can configure the Grid reporting properties. When you enable the Grid reporting service, all members transmit data to the reporting server. You can disable data transmission from specific members to the reporting server. Before using the reporting service, you must configure the remote server to export the search results, as described in Reporting (Index) Storage Space below. Once you configure the reporting server and enable the reporting service on Grid members, you can view and manage reports through the Reporting tab of Grid Manager.

Note

Note

  • When you reset the appliance using the reset all CLI command or reset the database using the reset database CLI command, reporting configurations are not preserved. If you reset the appliance, you must configure Grid reporting properties and remote server settings to use the reporting service.

  • Expired cookies in a Splunk session are not removed in the Firefox browser by default. Expired cookies also cannot be reused. However, there is no impact on functionality.

Complete the following to set up your reporting solution:

...

Note

Note

  • For the threat indicator caching feature to work on a Grid, the Grid must have at least one user with can delete permission set up on the Grid.

  • When you enable the threat indicator caching feature, you must configure the credentials to access the Cloud Services Portal for NIOS to interact with the Cloud Services portal. For more information, see Configuring Integration with BloxOne Threat Defense Cloud.

Limitations

Note the following limitations when you use the threat indicator caching feature:

  • Enabling the threat indicator caching feature results in higher usage of network bandwidth and reduction of the reporting indexing capacity.

  • Enabling the threat indicator caching feature impacts the performance of Grid Master as Splunk consumes significant bandwidth to forward the entries to indexers. It takes a few minutes for the entries to get forwarded and indexed completely based on the data size.

  • If you enable the threat indicator caching feature, and then revert or upgrade the Grid to a version that does not support the feature, then the indexed threat indicator database data will still occupy disk space even though they are not searchable in the upgraded or reverted Grid version.

  • The size of the downloaded threat indicator database file will be huge due to data retention in the following scenarios:

    • When you enable and disable the threat indicator caching feature a few times.

    • When you upgrade NIOS and then revert it to the prior version without disabling the threat indicator feature, and also when you upgrade NIOS again.

  • When the threat indicator caching feature is enabled, threat details in the DNS Top RPZ Hits report does not show historic data. For more information about the DNS Top RPZ Hits report, see Security Dashboards.

  • For replication to work properly in cluster mode, Infoblox recommends that an appliance should have 12 cores CPU and 12 GB memory.

Configuring the Threat Indicator Caching Feature

...

  1. From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.

  2. In the Grid Reporting Properties editor, select the Threat Indicator Caching tab-> Basic tab.

    1. Enable Threat Indicator Caching: Select the checkbox to enable the feature. Enabling this feature downloads the threat indicator information from the Cloud Services Portal to the Grid Master, and then the threat indicator information is indexed on the reporting members.

      Note that selecting this option results in higher indexing license usage, network bandwidth, and storage.

  3. Complete the following:

    1. Splunk Threat Indicator Caching Index Storage: Specifies the disk storage allocation for the threat indicator caching feature. The minimum disk storage limit is 8 GB and the maximum disk space that it can be set to is 42 GB. By default, the disk storage space is set to 12 GB. The disk space that you allocate will reduce the storage limit for all other indexes. Set the required storage space based on the volume of data that you expect to be downloaded from the Cloud Services Portal and based on your indexing capacity. Grid Master downloads the threat indicator data and periodically forwards it to the reporting server for indexing.
      The indexing usage that is observed by Infoblox during the lab testing is, one full synchronization consumes ~600 to ~800 MB of indexing space and each incremental synchronization consumes ~60 MB of indexing space.

      Note that the indexing space usage varies on a daily basis based on data generated by the Cloud Services Portal. Therefore, do not consider the numbers stated here as standard guidelines.

    2. Incremental Threat Indicator Caching Update Interval (in hours): Enter the interval value in hours to download the incremental updates from the threat indicators of the Cloud Services Portal. For example, if you set the value as 2, after every two hours the incremental threat indicator is downloaded. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Portal.

    3. Last Incremental Threat Indicator Caching Download Timestamp: Displays the date and time of the last successful incremental threat database download.

    4. Update Policy: Select Automatic or Manual. You need to select any one of the following options in order to avoid huge data storage usage on Splunk.

      1. Automatic: Select this option if you want to automatically download the whole database after every seven days. By default, the value is set to seven days.

      2. Manual: Select this option to schedule the whole database download manually. For more information on threat context locale cache scheduler, see Scheduling Threat Indicator Caching below.

      3. Test Connection: Click Test Connection to test the connectivity between NIOS and the Cloud Services Portal. Then, enter the Cloud Services Portal credentials on the BloxOne Threat Defense Cloud Integration tab. For more information about configuring and enabling the BloxOne Threat Defense Cloud Client, see Configuring Integration with BloxOne Threat Defense Cloud and Configuring BloxOne Threat Defense Cloud Clients for Outbound, respectively.

    5. Last Whole Threat Indicator Caching Download Timestamp: Displays the date and time of the last successful whole threat indicator download.

    6. Scheduling: Select to schedule the whole threat indicator download. You can select Scheduling only if the Update Policy is selected as Manual.

    7. Last Threat Indicator Caching Failure Timestamp: Displays the date and time of the last failed attempt that is made to download the threat indicators after five iterations.

...