Versions Compared

Old Version 13

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version Current

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • query=domain.*AND device=52.123*
  • device=office1.domain OR device=office2.domain.com
  • dns_view=example-view AND query_type=A

(source=‘BloxOne ‘infoblox Endpoint’ OR source=“example 1”) AND device=52.123*

...

Filtering the Security Events Tab

To filter Security Events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu. The default search query limit for searches is 10, with the exceptions of 100 search queries for Feeds and Source:objects returned in each drop-down are limited to a maximum of 10 returned records, with the exception of the FeedSourcePolicy, and Class filters which are limited to a maximum of 100 returned records.

  • Action: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.Log (limited to a maximum of 10 returned records).
  • Confidence: The threat confidence score assigned to an indicator. The confidence level can be High, Medium, or Low..Low (limited to a maximum of 10 returned records).
  • Feed: The list of threat feeds against which the malicious hit was triggered. (limited to a maximum of 100 returned records).
  • Class: The threat intelligence feeds, such as Phishing, MalwareC2DGA, and others..others (limited to a maximum of 10 100 returned records). 
  • Level: The threat level for the malicious hit. This can be High, MediumLow, or InfoNote: In some cases, a record may not contain all fields which will be represented as N/A on the user interface and NULL in the API results..results (limited to a maximum of 10 returned records). 
  • Policy: Active security policies..policies (limited to a maximum of 10 100 returned records).
  • Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available.available (limited to a maximum of 100 returned records).

  • Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu..(limited to a maximum of 10 returned records) 

    Note
    titleNote

    Depending on the availability of data records, not all filter options may be displayed.


...

  • DETECTED: The timestamp when the hit was detected.
  • THREAT LEVEL: The threat level for the malicious hit. This can be High, MediumLow, or InfoNote: In some cases, a record may not contain all fields which will be represented as N/A on the user interface and NULL in the API results. 
  • QUERY: Displays the domain that sent the DNS query. Clicking Image Removedthe view on Dossier icon associated with a record allows you to view the Dossier threat look-up record of a threat class or property for the selected record. On the Dossier threat look-up page, you can view the Dossier report details for additional information on the selected record. 
  • CLASS: The threat intelligence class, such as Phishing, MalwareC2DGA, and others.
  • PROPERTY: The property or nature of the threat. By default, the portal includes all threat properties.
  • POLICY: The security policy against which the malicious hit triggered.
  • ACTION: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
  • DEVICE NAME: The name or IP address of the device.
  • SOURCE: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. 
  • RESPONSE: The response taken by BloxOne Cloud Infoblox Platform for the malicious hit.
  • DNS VIEW: The DNS version data being served.
  • FEED: The name of the threat feed against which the malicious hit triggered.
  • QUERY TYPE: The DNS query type.
  • MAC ADDRESS: The detected MAC address of the device.
  • DHCP FINGERPRINT: The unique identifier that was formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
  • USER: The user that triggered the event. For remote offices, the portal displays Unknown for these users. If you have configured access authentication, this displays the authenticated user who triggered the event.
  • THREAT CONFIDENCE: A scoring system for malicious hits where confidence is rated High, Medium, Low.
  • DEVICE IP: The IPv4 or IPv6 address of the device responsible for the hit.
  • OS VERSION: The version of the device's operating system making the request.
  • INDICATOR: The policy source from which the indicator type being reported. The indicator can originate from an application or category filter, from a custom list, or from a feed.
  • RESPONSE REGION: The region within a country where the response originated based on information acquired from the public IP address of BloxOne of Infoblox Endpoint and DFP,
  • RESPONSE COUNTRY: The country where the response originated based on information acquired from the public IP address of BloxOne of Infoblox Endpoint and DFP,
  • DEVICE REGION: The region within a country where the response originated. 
  • DEVICE COUNTRY: The country where the device resides.
Note
titleNote

You can enable and disable custom fields by clicking on the icon located in the top, right-hand corner of the table, and selecting or deselecting which custom fields you want to view. All fields can be selected or deselected, or they can be returned to the default configuration by clicking Restore to default GRID setting.

Export Records

Click Export to download a CSV file of report records. The maximum number of exported Security Events report records is 50,000.