Versions Compared

Old Version 3

changes.mady.by.user Jyothi KP

Saved on

compared with

New Version Current

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After you set up a dedicated reporting appliance in your Grid, you must configure the Grid reporting properties so you can communicate with the reporting appliance and retrieve report data through the Grid Master. In addition, you must select the correct report categories in order for the reporting server to generate the correct data in corresponding reports, as described in Configuring Grid Reporting Properties below.
By default, only superusers can configure the Grid reporting properties. When you enable the Grid reporting service, all members transmit data to the reporting server. You can disable data transmission from specific members to the reporting server. Before using the reporting service, you must configure the remote server to export the search results, as described in Reporting (Index) Storage Space below. Once you configure the reporting server and enable the reporting service on Grid members, you can view and manage reports through the Reporting tab of Grid Manager.

Note

Note

  • When you reset the appliance using the reset all CLI command or reset the database using the reset database CLI command, reporting configurations are not preserved. If you reset the appliance, you must configure Grid reporting properties and remote server settings to use the reporting service.

  • Expired cookies in a Splunk session are not removed in the Firefox browser by default. Expired cookies also cannot be reused. However, there is no impact on functionality.

Complete the following to set up your reporting solution:

...

4. Save the configuration and click Restart if it appears at the top of the screen.

Caching Threat Category Information from the

...

Infoblox Portal

The threat category information (Threat indicator database and Threat description) is downloaded from the Cloud Services Infoblox Portal and stored locally. The threat category information is then sent to the reporting server to augment RPZ hits and reports are generated. Caching threat category information from the Cloud Services Infoblox Portal helps enhance the performance of threat reports as data is fetched from the cache that is stored locally.

You can configure the Cloud Services Infoblox Portal credentials and schedule the entire threat indicator database download from the Cloud Services Infoblox Portal. If you have already downloaded the entire threat indicator database, then consecutive full downloads take place only after 24 hours. 

Note

Note

  • For the threat indicator caching feature to work on a Grid, the Grid must have at least one user with can delete permission set up on the Grid.

  • When you enable the threat indicator caching feature, you must configure the credentials to access the Cloud Services Infoblox Portal for NIOS to interact with the Cloud Services portalInfoblox Portal. For more information, see Configuring Integration with BloxOne Infoblox Threat Defense Cloud.

Limitations

...

  • Enabling the threat indicator caching feature results in higher usage of network bandwidth and reduction of the reporting indexing capacity.

  • Enabling the threat indicator caching feature impacts the performance of Grid Master as Splunk consumes significant bandwidth to forward the entries to indexers. It takes a few minutes for the entries to get forwarded and indexed completely based on the data size.

  • If you enable the threat indicator caching feature, and then revert or upgrade the Grid to a version that does not support the feature, then the indexed threat indicator database data will still occupy disk space even though they are not searchable in the upgraded or reverted Grid version.

  • The size of the downloaded threat indicator database file will be huge due to data retention in the following scenarios:

    • When you enable and disable the threat indicator caching feature a few times.

    • When you upgrade NIOS and then revert it to the prior version without disabling the threat indicator feature, and also when you upgrade NIOS again.

  • When the threat indicator caching feature is enabled, threat details in the DNS Top RPZ Hits report does not show historic data. For more information about the DNS Top RPZ Hits report, see Security Dashboards.

  • For replication to work properly in cluster mode, Infoblox recommends that an appliance should have 12 cores CPU and 12 GB memory.

Configuring the Threat Indicator Caching Feature

...

  1. From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.

  2. In the Grid Reporting Properties editor, select the Threat Indicator Caching tab-> Basic tab.

    1. Enable Threat Indicator Caching: Select the checkbox to enable the feature. Enabling this feature downloads the threat indicator information from the Cloud Services Infoblox Portal to the Grid Master, and then the threat indicator information is indexed on the reporting members.

      Note that selecting this option results in higher indexing license usage, network bandwidth, and storage.

  3. Complete the following:

    1. Splunk Threat Indicator Caching Index Storage: Specifies the disk storage allocation for the threat indicator caching feature. The minimum disk storage limit is 8 GB and the maximum disk space that it can be set to is 42 GB. By default, the disk storage space is set to 12 GB. The disk space that you allocate will reduce the storage limit for all other indexes. Set the required storage space based on the volume of data that you expect to be downloaded from the Cloud Services Infoblox Portal and based on your indexing capacity. Grid Master downloads the threat indicator data and periodically forwards it to the reporting server for indexing.
      The indexing usage that is observed by Infoblox during the lab testing is, one full synchronization consumes ~600 to ~800 MB of indexing space and each incremental synchronization consumes ~60 MB of indexing space.

      Note that the indexing space usage varies on a daily basis based on data generated by the Cloud Services Infoblox Portal. Therefore, do not consider the numbers stated here as standard guidelines.

    2. Incremental Threat Indicator Caching Update Interval (in hours): Enter the interval value in hours to download the incremental updates from the threat indicators of the Cloud Services Infoblox Portal. For example, if you set the value as 2, after every two hours the incremental threat indicator is downloaded. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Infoblox Portal.

    3. Last Incremental Threat Indicator Caching Download Timestamp: Displays the date and time of the last successful incremental threat database download.

    4. Update Policy: Select Automatic or Manual. You need to select any one of the following options in order to avoid huge data storage usage on Splunk.

      1. Automatic: Select this option if you want to automatically download the whole database after every seven days. By default, the value is set to seven days.

      2. Manual: Select this option to schedule the whole database download manually. For more information on threat context locale cache scheduler, see Scheduling Threat Indicator Caching below.

      3. Test Connection: Click Test Connection to test the connectivity between NIOS and the Cloud Services Infoblox Portal Configuration. Then, enter the Cloud Services Infoblox Portal Configuration credentials on the BloxOne  Infoblox Threat Defense Cloud Integration tab. For more information about configuring and enabling the BloxOne Infoblox Threat Defense Cloud Client, see Configuring Integration with BloxOne Infoblox Threat Defense Cloud and Configuring BloxOne Infoblox Threat Defense Cloud Clients for Outbound, respectively.

    5. Last Whole Threat Indicator Caching Download Timestamp: Displays the date and time of the last successful whole threat indicator download.

    6. Scheduling: Select to schedule the whole threat indicator download. You can select Scheduling only if the Update Policy is selected as Manual.

    7. Last Threat Indicator Caching Failure Timestamp: Displays the date and time of the last failed attempt that is made to download the threat indicators after five iterations.

...

You can schedule the download of the whole threat database daily, weekly or monthly. However, if you have already downloaded the whole threat indicator database and the scheduled date and time is near next, in that case the schedule is skipped. Based on the schedule the Incremental ThreatDB is downloaded from the Cloud Services Infoblox Portal as per the set interval

...


Default Index Space Configured for Each Report Category

Report Category

Default Index Space (%) Adjustable by User

Total Reporting Disk Space Used for Index Storage (GB)

Audit Log

0%

-

DNS Query
DNS Performance DDNS
DNS Record Scavenging

20%

Usable reporting hard disk space x 20%

DNS Query Capture

0%

-

DHCP Performance

20%

Usable reporting hard disk space x 20%

DHCP Fingerprint DHCP Lease History

39%

Usable reporting hard disk space x 39%

DDI Utilization

5%

Usable reporting hard disk space x 5%

Security Network User

1%

Usable reporting hard disk space x 1%

DNS Traffic Control

0%

Usable reporting hard disk space is broken down between ib_dtc and ib_dtc_summary internally.

Cloud

0%

-

System Utilization

15%

Usable reporting hard disk space x 15%



-

Device

0%

-

Ecosystem Subscription Ecosystem Publication

0%

-

License

0%

-

Modifying Member Reporting Properties

...