The SOC Insight Report Events tab provides a comprehensive view of all security DNS events associated with an insight. It displays important information such as the threat level, threat confidence, date and time of detection, class, query, query type, user, device IP, threat family, policy, action, and source. Additionally, you can customize the table layout by selecting which data columns to display. The Events tab also allows you to search for specific events, filter events based on criteria such as threat level and query and export all insight events records in .csv format.
...
Copy Insight: Clickto copy the insight to the clipboard.
Edit insight: Click to change the status of an insight. nThe Insight Change Status window will appear. In the window, you can change the Insight status from Insight Open to Insight Close or Insight Close to Insight Open by toggling the status switch. Optionally, you can leave a comment in the text field at the time of the status change. Finally, you can read prior comments associated with the Insight. Click Save & Close to complete the Insight status change. Do note that the Save & Close button will not be accessible (it will be grayed out) until such time a status change has been made for the Insight.
Image: The Edit Insight window.
Click Share & Export to share a selected Insight within your organization. The Share Insight window will appear, allowing you to choose any or all information associated with an Insight. Raw logs can be downloaded in zip format while the Summary can be downloaded as a PDF by clicking Download.
Image: The Share Insight window.
Export: Click Export to export all insight events records in .csv format.
...
- Device Name: The name or identifier assigned to a specific device on a network. It helps in identifying and monitoring the activities of threat actors on the network. Insightful Reporting correlates data from multiple sources, such as remote domains, unique WHOIS data, IP addresses, domain registrars, and malware families, to detect patterns of malicious activity. By analyzing the device names associated with these activities, Insightful Reporting provides insights into potential targeted attacks and recommends actions to mitigate the threats.
- Property: The protected assets or users within a network that are being monitored for potential threats. Insightful Reporting helps customers identify and analyze threat actors and their activities on their networks, allowing them to detect patterns of malicious activity and mitigate potential threats related to malware and data exfiltration. The objective of Insightful Reporting is to provide customers with insights into targeted attacks and recommend actions to protect their networks.
- Response: The recommended actions provided to customers to mitigate potential threats detected on their networks. It helps customers understand and respond to targeted attacks, monitor for malware and data exfiltration, and identify common application patterns. The goal of the response is to provide insights into potential threats and suggest appropriate actions to block known and unknown malicious domains.
- DNS View: Provides a comprehensive view of all security DNS events associated with an insight. It displays important information such as the threat level, threat confidence, date and time of detection, class, query, query type, user, device IP, threat family, policy, action, and source. The DNS View allows users to customize the table layout by selecting which data columns to display, search for specific events, filter events based on criteria such as threat level and query.
- Feed: A list of domains, IP addresses, or URLs that is used to make policy decisions based on continually updated data. It is recommended to use specific threat feeds to maintain optimal security.
- Mac Address: Refers to the Media Access Control address. It is a unique identifier assigned to a network interface controller (NIC) for communication on a network. MAC addresses are used to identify and locate devices on a network. In Insightful Reporting, MAC addresses are associated with assets and can be used as a filtering criterion to analyze and monitor network activity.
- OS Version: Refers to the operating system and its version that is associated with the events and insights being analyzed. It helps in understanding the specific environment and potential vulnerabilities that may be exploited by threat actors.
- DHCP Fingerprint: A unique identifier used by BloxOne DDI to identify remote DHCP clients on a network. It is formed by incorporating information from DHCP options 55 and 60, which include option number sequences and vendor IDs. The combination of these parameters helps infer the operating system and device type of the remote client. DHCP fingerprinting is used to track devices on the network and perform system identification.
- Response Region: The geographical region from which the response to a DNS query originated. It provides information about the location of the server or network that responded to the query. The Response Region data column in the Events tab of Insightful Reporting displays the region associated with the response.
- Response Country: The country from which the response to a DNS query originated. It is a data column that provides information about the country associated with the response received for a specific event.
- Device Region: The geographical region where the device associated with a security DNS event is located. It provides information about the location of the device that generated the event.
- Device Country: The country where the device associated with a security DNS event is located. It is one of the data columns displayed in the Events table, providing information about the geographical location of the device involved in the event.
The table layout is customizable. You can select which data to display by placing a tic in the checkbox associated with a data column. Conversely, you can select a data column to not display by removing the tic from the checkbox associated with the column name.
Image: The Column Selection panel.
Search: Enter a search criterion in the Search text box. The Cloud Services Portal will show all records that match the criterion.
...
- Click
to refresh the page.
- Click Show to see all events for a specific time period. Select Show All, Last 24 hours, Last 7 days, or Last 30 days.
Image: The Show option list.
Filtering: Clickto open the filtering panel. In the filtering panel, the following filtering criteria:
- Threat Level: The level of certainty or trustworthiness assigned to a threat or security event. It is a measure of how confident the system is in the accuracy and reliability of the detected threat. By assigning a Threat Confidence score, Insightful Reporting can provide insights into the credibility and severity of potential threats, helping customers prioritize and take appropriate actions to mitigate them.
- Threat Confidence: The level of certainty or trustworthiness assigned to a threat or security event. It is a measure of how confident the system is in the accuracy and reliability of the detected threat. By assigning a Threat Confidence score, Insightful Reporting can provide insights into the credibility and severity of potential threats, helping customers prioritize and take appropriate actions to mitigate them.
- Query: Query is the domain for the particular event.
- Query Type: The type of DNS query made by a device on the network. It provides information about the specific type of DNS request, such as A (address) record, AAAA (IPv6 address) record, CNAME (canonical name) record, MX (mail exchange) record, etc. Query Type helps in analyzing and understanding the nature of the DNS traffic on the network and can be used to identify potential threats or suspicious activities.
- Device IP: The IP address associated with a protected asset or device that has been affected or associated with an Insight. It provides information about the IP address or addresses associated with the asset and the date range of the first observed detection and the most recent observed detection on the network.
- Source: The origin or originator of the threat or malicious activity detected on a network. It could be an individual, a group, or an organization that is responsible for the targeted attack or compromise. the given knowledge base is identified by correlating multiple communications with the same origin, such as IP addresses, unique WHOIS data, domain registrars, malware families, and more.
- Indicator: A DNS detection and response (DDR) that represents a domain or IP address seen in the resolution chain of a query from a device. It provides valuable information about the associated asset IP, user, and operating system. The Indicator Definition helps users understand the meaning and significance of the indicators displayed in the Insight Reporting interface. (Click the link in the indicator column associated with an indicator to view the Dossier Summary report for the indicator. Click the link in the indicator column associated with an indicator to view the Dossier Summary report for the indicator.
- Detected: The timestamp of the event indicating the date and time of detection.
Image: The Filtering panel.
Filtering can be performed using one or more filtering criteria. Multiple filters can be used simultaneously when filtering records.
You can also do the following on the page:
Background Tasks: Click
to open the side panel to view a list of all running background tasks. Search: Click
in the Search text box, then enter your search criterion. - Pagination Controls: At the bottom left, there are controls for navigating through different pages of insights, indicating that there is more data available beyond what is displayed on the current page. Click on the number of insight records to display on the page. The options include, 25, 50, or 100.
- Click <Back to Console of Insights to return to the Open Insights console.