Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

You can view data exfiltration events, including DNS Tunneling detection on the Threat Insight tab.The Threat Insight tab consolidates all data exfiltration, malware, command, and control events into a single report. The Threat Insight tab rolls up data exfiltration events associated with a host/domain, providing a list of highly correlated events. It lists the devices that experience malicious activities on your network. By default, the report is filtered by all networks/scopes, all users, all security policies, and all devices over a 24-hour time frame. To export the Threat Insight table data in csv format, click Export. The default file name is security-activity_threat-insight.csv. Exported data is limited to 10,000 records.

Performing Search Queries

The search feature supports using queries to perform searches using the integrated search query language.  Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available in the Threat Insight report, you can:

  • Run a search on any of the following fields:
    • CONFIDENCE
    • DETECTIONS
    • TARGET DOMAIN
    • THREAT CLASS
    • THREAT FAMILY
    • THREAT LEVEL
    • The = and the NOT (!=) operators.
  • Use AND and OR operators.
  • Use single and double quoted to enter values with spaces.
  • Use parentheses to group search parts. 
  • Use the wildcard symbol (*) as the last character of the search value for a partial match.
  • Use the ENTER key to apply search.
  • Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries

The following are search query examples:

  • target_domain=domain.*

  • target_domain=domain.* AND confidence=High

Search by the target_domain field matches values by subdomains. E.g. target_domain = domain.com
matches
'domain.com', 'office.domain.com', 'space.office.domain.com

Note

All search values are case sensitive. A maximum of five operators can be used when constructing a query search.

Filtering the Threat Insight Tab

To filter Threat Insight events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu:

  • Level: The threat level for the malicious hit. This can be High, MediumLow, or Info.
  • Policy: Active security policies.
  • Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. 

  • Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 

Note

Depending on the availability of data records, not all filter options may be displayed.

The Threat Insight table displays the following information by specific criteria. Select the applicable objects from the following column drop-down menus:

  • DETECTIONS: The number of detections associated with the report. Clicking on a record's number of detections will display a table of the detections associated with the target domain. The information displayed for the target domain includes the following:

    • DETECTED: The timestamp associated with the detection. 

    • THREAT LEVEL: The target domain's threat level rating. This can be High, MediumLow, or Info.

    • QUERY: The DNS query type. Clickingcircular click iconassociated with a record allows you to view the Dossier threat look-up record of a threat class or property for the selected record. On the Dossier threat look-up page, you can view the Dossier report details for additional information on the selected record.

    • CLASS: The threat class associated with the target domain.

    • POLICY: The security policy against which the malicious hit triggered.

    • DEVICE IP: The IP address of the device responsible for the hit. If you are using BloxOne Endpoint for the Infoblox Grid, BloxOne Cloud can identify the hostname of the Grid Master and displays it in this filter. If the NIOS appliance is not running a supported NIOS version or if this device is a remote site, BloxOne Cloud captures the IP address (instead of the hostname) of the appliance in this field.

    • SOURCE: The location of the device within the network infrastructure.

    • QUERY TYPE: The DNS query type. 

    • USER: The user that triggered the hit. For remote offices.

    • THREAT CONFIDENCE: The confidence level for the malicious hit. A High confidence level means that the hit was likely to be real.

  • TARGET DOMAIN: The domain the threat is targeting. Displays the domain that sent the DNS query. Clickingcircular click iconassociated with a record allows you to view the Dossier threat look-up record of a threat class or property for the selected record. On the Dossier threat look-up page, you can view the Dossier report details for additional information on the selected record.
  • THREAT LEVEL: The threat level for the malicious hit. This can be High, MediumLow, or Info.
  • CONFIDENCE: The confidence level for the malicious hit. A High confidence level means that the hit was likely to be real.

  • THREAT CLASSES: The threat intelligence class, such as Phishing, MalwareC2DGA, and others.

  • THREAT FAMILYThreat family is a grouping of malicious threats. For information, see Threat Family Classes.

Note

You can enable and disable custom fields by clicking on the icon located in the top, right-hand corner of the table, and selecting or deselecting which custom fields you want to view. All fields can be selected or deselected, or they can be returned to the default configuration by clicking Restore to default GRID setting.

Export Records

Click Export to download a CSV file of report records. The maximum number of exported Threat insight report records is 10,000.

  • No labels