The Viewing Open Insights - Threats View page covers the Dashboard, Insight Settings, Threats View/Configuration View, and the Details Panel. The Insights dashboard provides information on threats and configurations observed on a network, displaying open insights, expiring insights during the week, medium to critical priority insights, active insights with a donut chart based on threat types and more. It assists in monitoring and managing detected threats while allowing for sorting and searching of insights. Additionally, it enables cybersecurity professionals to monitor, analyze, and respond to threats in real-time. The page also includes details about Insight Settings which allow actions to be assigned to different types of Insights for managing security policies when specific insight types are detected.

The Threats view is displayed by default but can be toggled with Configuration view depending on license availability. It displays priority levels of an insight along with recommended actions if available as well as last observation date and time among other details associated with selected Insight.

Image: A detailed view of the Open insights -Threats View dashboard, which provides a comprehensive view of network security threats and insights. The interface is divided into several sections with various functionalities. The dashboard provides sophisticated tools that enable cybersecurity professionals to monitor, analyze, and respond to threats in real-time. It is designed to provide a quick overview while also allowing for in-depth analysis and immediate action to protect against security threats.

The Dashboard

Open/Closed: Click OPEN to view open insights. Click CLOSED top view closed Insights. 

Threats/Configuration View: The default page displays threat view information about insights observed on your network. The Threats view is displayed by default on the Insights dashboard page. Click Configuration to view configuration information for insights. Click on either Threats or Configuration to toggle between the two views. Note: The Threats and Configuration pages are available on a license basis. 

Dashboard Reporting: The dashboard displays four cards, each displaying information about the open insights reported on your network. Each card displays the number of detections for the last seven days with percentage increase or percentage decrease in total detections during the past seven days. The four small cards display the following information:

• Total Open Insights: The total number of all open insights currently reported on your network.
• Expiring this week: The number of open insights on your network is scheduled to expire during the coming week. 
  
• Medium Priority Insights: The number of threat insights on your network determined to be a medium priority threats. 
• High Priority Insights: The number of threat insights on your network determined to be high priority threats. 
• Critical Priority insights: The number of threat insights on your network determined to be critical priority threats. 
  
  

Active Insights Highlights: This information card displays a donut chart of visual data about the specific types and quantities of threats detected on your network. An upward pointing arrow reports an increase in activity for the past week while a downward pointing arrow indicates a decrease in activity over the same one week reporting period. From the card's side panel menu, you can choose to view the donut chart based on any of the following criteria:

• Threat Types: The threat types observed on your network during the current reporting period. 
• Threat Levels: The threat levels observed on your network during the current reporting period. 
• Timeline: The number of events and devices observed during the past 24 hour and one week time spans. 
• Scanned Major Threats: The results of the scan of your network for major threats 
• Most Infected Devices: This report displays the following information acquired from any discoverable sources (Infoblox Endpoint, IP address, Metadata,etc.). 
  • User: The username that is used to log into this device.
  • OS Version: The OS version that is currently running on the device.
  • Mac Address: The MAC address for the device.
  • Threat Families: The threat family class or classes observed on devices in the network. 
    
    

Sort by: Click Sort by to see the list of Insights sorted by date, priority, or type. 

Image: The Sort by menu options include date, priority, or type. 

Search: Enter a search criterion in the Search text box. The Infoblox Portal will show all records that match the criterion.

Insight Settings: Click Insight Settings to open the Insight Settings pane. In the Insight Settings pane, actions can be assigned to Insight types. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour. See the Insight Settings section for further information.

Filtering: Click the filter icon  to open and close the filtering panel.  See call-out K for additonal information on selecting filter attributes to be used for running insight record queries. 

Selecting insights: Place a check in the checkbox  next to an insight to select it. You can select multiple insights by placing checks on the checkboxes associated with the desired insights. 

Click Select all to select all insights. Alternatively, you can deselect all selected insights by clicking Deselect All. 

Filter Query Options: Clickthe add icon to display the filter option drop-down menu.

Image: The basic filtering query options include type, priority, feed source, or category. 

From the drop-down menu, you can select specific filter attributes to run search on. Filter query attributes include the following:

• Type: The insight type. 
• Priority: The insight priority level. Filtering options include Critical, High, Medium. Low, or Info.  
• Feed Source: The insight feed source.
• Category: The insight category.

Multiple filter types can be selected simultaneously. 

Image: A detail view of the filtering pane. 

Insight Status: Click Insight Status > Move to Closed after selecting one or more open insights to change insight status to Closed.  You can confirm the status change of selected insights by verifying hey have been moved to the Closed Insight page. 



Expand All/Collapse All: Click Expand All to expand the details pane for all Insights. Conversely, click Collapse All to collapse the details pane. Alternatively, you can use the expand/close arrows (See call-out Q) to expand and close the details pane for an Insight. 

Details Pane (default and expanded view): The Details pane displays information about insights on your network: See the Details Pane section for further information. 

Investigate Insight: Click Investigate Insight to view Insight Summary, Assets, Indicators, Event, Comments, and Threat Categories pages. Each page displays important information about insights detected on your network. 

Editing/Closing Insights: Click the three horizontal dots icon to move the selected insight to closed or to edit the selected insight. 

Editing an Insight

1. To edit an Insight, do the following:
2. Click the three horizontal dots icon followed by clicking Edit Insight to begin the insight editing process. 
   
   Image: The Investigate Insight drop-down menu options include Move to Closed and Edit Insight. 
   
   
3. In the edit pane, toggle the insight Open switch to the left to close the insight. In the comments field, provide information as a closing comment for the insight.
   
   Image: A detail view of the Edit window. 
   
   
4. Click Save & Close.

Closing an Insight

1. To close an Insight, do the following:
2. Click the three horizontal dots icon followed by clicking Move to Closed Insight. The selected insight will be moved to the Closed insight list.

Image: The Investigate Insight drop-down menu options include Move to Closed and Edit Insight. 

Expand/Close: Click the down-pointing arrow icon to expand the details panel where you can view detailed information associated with the selected Insight. Click the up-pointing arrow icon to close the details panel.

Insight Settings

Insight Settings allows you to assign actions to different types of Insights. You can choose from options such as Nothing, Add to Allow List, and Add to Block List. These actions determine how security policies function when a specific type of insight is detected. For example, you can configure the system to automatically add certain Insights to an allow list or block list based on their type. This helps in managing and responding to threats detected on your network. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour.

Click Insight Settings to open the Insight Settings pane. In the Automatic Response section of Insight Settings pane, you can configure a default action. the following information is available in the pane:

• INSIGHT TYPE: The type of Insight. Options include
  • DGA Types
  • DNS Tunneling
  • Lookalike Threat
  • Major Attack
  • NXDomain
  • Open Resolver
  • Outlier
  • Rapid Domain Triage
  • Spear Phishing
• ACTIONS: Actions can be assigned to Insight types. Action options which can be applied include Nothing, Add to Allow List, and Add to Block List. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour.

Image: The Insight Settings window. 

Actions can be applied to an Insight by selecting an option from the drop-down list. 

Image: The Actions drop-down options include Nothing, Add to Block List, and Add to Allow List. 

Editing Insights

To edit an Insight, do the following:

1. Click the three horizontal dots icon followed by clicking Edit Insight to begin the insight editing process. 
   
   
   Image: The Edit Insight drop-down menu options include Move to Closed and Edit Insight. 
   
   
2. in the edit pane, toggle the insight Open switch to the left to close the insight. In the comments field, provide information as a closing comment for the insight.  
   
3. Click Save & Close. 

Threats and Configuration Views

The Threats view is displayed by default on the Insights dashboard page. The Threats and Configuration pages are available on a license basis. 

The Insight Threats view displays the following information associated with a selected Insight:

• Priority: The priority level of the insight. 
• Infoblox's Action/Notification: Provides information about the Insight along with recommended actions. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour.
• Last Observation: The time and date the insight was last detected on the network.
• Description: A detailed description of the Insight.
• Investigate Insight: Investigate multiple contributing factors for the reported Insight. 

The Insight Configuration view displays the following information associated with a selected Insight:

• Priority: The priority level of the insight. Priorty level 
• Last Observation: The time and date the insight was last detected on the network.
• Investigate Insight: Investigate multiple contributing factors for the reported Insight. 
• View IDS: Allows you to view or investigate Insight settings.
• Close Service or Policy: Allows you to close a service or policy associated with the Insight.
• Insight Recommendations: Insight recommendations are based on best practices for security policies configuration and optimization.
• Security Policy: Displays security policy optimization issues and errors.
• View DFP Services: Displays DNS Failover Configuration check failed issues and errors.

Image: The Open Insights dashboard page - Configuration view (normal view). The dashboard displays information about open insight records. 

The Configuration view displays the following information for a selected Insight:

Priority: The insight priority level. Priority levels reported include Critical, High, Medium. Low, or Info.

Status Action/Notification: The status/notification of the Insight along with recommended actions. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour. For information on the detailed notification report, see call-out H, below. Do note that the status action/notification is not available for all insight reports and is not available for insight configurations. 

Last Observation: The time and date the insight was last detected on the network. Additionally, information on the number of days the insight has been active on the network is provided. 

View IDS: Click View or Investigate to Insight settings. 

Click the three horizontal dots icon to close a service or policy the Insight is associated with. Or for the purposes of investigation, copy the link to share with others in your organization.

Click the down-pointing arrow icon to open the details panel Click the up-pointing arrow icon to close the details panel. 

Insight Recommendations: Insight recommendations are provided by the Infoblox Cybersecurity anf threat investigation teams based on best practices for security policies configuration and security policy precedence and identified issues with security policy optimization. 

• Security Policy: For security policy optimization issues, you will be taken to the Security Policies page in the Infoblox Portal (Configure > Security > Policies). Security policy errors will be displayed in the Security Policy Needs Optimization pane. The Security Policy Needs Optimization pane displays the following information:
  • POLICY NAME: The name of the policy needing optimization. Note: Click on a policy name to navigate to the security policy needing attention in the Infoblox Portal. 
  • POSSIBLE ERROR: A brief description of the potential error.
  • INSIGHT ID: The Insight's identification. 

Image: The Security Policy window.  

• View DFP Services: For DFP service optimization issues, you will be taken to the DNS Failover Configuration check failed pane in the Infoblox Portal (Configure > Infrastructure > Services). DFP service errors will be displayed in the DNS Failover Configuration check failed pane. The DNS Failover Configuration check failed pane displays the following information:
  • SERVICE NAME: The name of the service needing optimization. Note: Click on a service name to navigate to the service needing attention in the Infoblox Portal. 
  • POSSIBLE ERROR: A brief description of the potential error.
  • INSIGHT ID: The Insight's identification. 

Image: The DFP Services window.

• Investigate Insight: To investigate the selected insight, you will be taken to the Insight Summary page. 
  
  

Status Action/Notification (detailed report): The detailed action notification identifies potential weaknesses and issues with your insight configuration and advises on how to remedy identifies problems. 

The Details Pane

The Open Insights Details pane displays information associated with the selected Insight. The information includes priority level, insight type, last observation date and time, active days, definition, creation date, feed source, categorizations, and an interactive event chart.

Image: The Open Insights - Threats View Details Details pane (default view). The Details pane displays information about the selected insight.

The default view for the Details Pane displays the following information for the selected Insight. 

Priority: The priority level of the insight. Priority levels reported include Critical, High, Medium. Low, or Info.

Type: The insight type.

Last Observation: The time and date the insight was last detected on the network. Additionally, information on the number of days the insight has been active on the network is provided. 

Investigate Insight: Click Investigate Insight to be taken to the Summary page where an investigation of the insight begins. For information, see Viewing the Insight Summary. 

Click the three horixontal dots iconfollowed by clicking Move to Close to close a selected insight or click Edit to edit the selected insight. For information on editing an Insight, see the Edit Insight section.


Image: The Investigate Insight drop-down menu options include Move to Closed and Edit Insight. 

Click the down-facing arrow icon to expand the details pane.

Image: The Open Insights - Threats View Details Details pane (expanded view) The Details pane displays information about the selected insight.

The expanded view for the Details pane displays the following information for the selected Insight. 

Priority: The priority level of the insight.

Type: The insight type

Last Observation: The time and date the insight was last detected on the network. Additionally, information on the number of days the insight has been active on the network is provided. 

Investigate Insight: Click Investifate Insight  to be taken to the Summary page where an investigation of the insight begins. For information, see Viewing the Insight Summary.  

Click the three horizontal dots icon followed by clicking Move to Close to close a selected insight, or click Edit to edit the selected insight. For information on editing an Insight, see the Edit Insight section.


Image: The Edit Insight drop-down menu options include Move to Closed and Edit Insight. 

Click the up-facing arrow icon to return to the details pane default view. 

Selecting insights: Place a check in the checkbox next to an open insight to select it. Once selected, click Insight Status followed by clicking Move to Close to update and change the insight status.  to closed. you can close the insight.

Image: The Insight Staus drop-down menu option includes Move to Closed. 

Event chart: An event chart visually the frequency and quantity of identified events occurring during the past 31 days in a columnar chart.

Description: A brief definition of the documented Insight. 

Creation Date: The insight's original time and date of creation.

Feed Source: The unique threat indicator(s) associated with the threat, such as domain(s) or IP address(s). 

Categorizations: A list of all the threat categories associated with the DNS queries on the network.  

You can also do the following on the page: 

• Background Tasks: Click the hourglass to open the side panel to view a list of all running background tasks. 

• Search: Click the search icon in the Search text box, then enter your search criterion. 

• Pagination Controls: At the bottom left, there are controls for navigating through different pages of insights, indicating that there is more data available beyond what is displayed on the current page. Click on the number of insight records to display on the page. The options include, 25, 50, or 100.