Security Activity Historical Data Report

Security Activity Historical Data reporting gives you access to data that goes back 60 days rather than the usual 30 days. Use this feature to create custom reports by configuring queries and filters according to your organization's requirements. Saved reports will be retained for 30 days then deleted from the system automatically.

Save up to 10 historical reports, and use them to derive insights from DNS- and security-related activities and to gain a comprehensive understanding of historical trends and patterns within your data. Historical Data reporting can be configured for Security Activity and DNS Activity reports. 

This page covers the following topics:

• Security Activity Historical Data Viewer

• Viewing a Security Activity Historical Data Report

• Creating and Saving a Security Activity Historical Data Report

Navigating to Security Activity Historical Data Reports

To navigate to Security Activity historical data reports, do the following:

1. Log in to the Infoblox Portal.
2. Click Monitor > Reports  > Security Activity.
3. On the Security Activity page, click Historical Data Viewer (see call-out A) to open the Security Activity Historical Data Reports page.

Security Activity Historical Data Viewer

The Security Activity Historical Data Viewer is used to view up to 60 days of data. The data is reported according to the queries and filters applied by using the Historical Data Viewer Query Builder. The following are the viewer’s components.

Image: The Security Activity Historical Data Viewer page.

Query Panel: The query panel shows the results of your historical data query with filters and specific query parameters applied. The panel shows the following information:

• Viewing: The name of the report currently being viewed. 
• Date and Time: The date-time range for the data in the report.
• Created by: The name of the person within the organization who is responsible for running the report.
• Expires: The expiration date and time of the report. Reports expire 30 days after being created.
• Query: The queries added to the report at its creation.
• Filters: The filters applied to the report at its creation. 
  
  

Requests Chart: The chart shows the data reported based on the results of the current query for historical data. The chart reflects the type of the DNS activity selected by applying the queries and filters used to generate the report.
 

Clear Filter: To clear the filtered results from the report, click Clear Filter. This will also reset the reporting page to its default state.

Load: Click Load to open a window that lists existing queries. In the panel on the left, select a query to be run based on the available report types. Clicking the title of a report will display its details in the panel on the right. For details on running a reporting query, see section Viewing a Security Activity Historical Data Report. 

Image: The Created Reports pane. 

A total of 10 queries can be created and saved, and this includes Security Activity and DNS Activity reports. For example, if you create and save six Security Activity reports, then you can save at most four additional reports, which can be any combination of Security Activity and DNS Activity historical reports. Report names that are grayed out are not available for viewing as a DNS Activity historical data query report type and denote that the data generated in the report is based on Security Activity reports. The grayed-out reports are available when you access historical data for Security Activity reports.

To view a report, do the following:

1. Select an available report from the reports listed in the panel on the left.
2. Click View to open the report. 

To delete a report, do the following:

1. Select an available report from the reports listed in the panel on the left.
2. Click Delete. A modal window will open and request your confirmation. Click Delete to confirm deletion of the report.

For information on creating a query, see section Creating and Saving a DNS Activity Historical Data Report.

Click Back to Security Activity to exit the historical data viewer. 

Click Save to save a newly created historical data report. When saving a report, give it a name that is unique and reflects the type of historical data being requested.

To view background tasks and information about recent searches, do the following:  

• Background Tasks: Click the hourglass icon  to open the side panel displaying a list of all running background tasks. 

• Global Search: In the Search text box, enter the search criteria or value you want to find. 

• Recent Searches: Click the search icon to perform a global search. The Infoblox Portal displays the list of records that match the keyword in the text box. The search panel shows information you have searched for most recently, such as tools, console messages, and domains.
  

Export: Click Export to download a .csv file containing all records in the current queried report. At most 50,000 data records can be downloaded. The name of the .csv file will reflect the name of the report being queried. 

Historical Data Report Table: The table displays a list of all historical data records shown for your network according to the query and filtering criteria defined when the report was created. The following information can be viewed in the records table: 

• ACTION (default grid column): The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
• CLASS (default grid column): The threat intelligence feeds, such as Phishing and MalwareC2DGA.
• DETECTED (default grid column): The date and time of the first DNS detection.
• DEVICE COUNTRY: The country  where the device is located.
• DEVICE IP (default grid column): The IP address of the device responsible for the hit. If you are using Infoblox Endpoint for the Infoblox Grid, the Infoblox Platform will identify the hostname of the Grid Master and display it in this filter. If the NIOS appliance is not running a supported NIOS version, or if this device is a remote site, then Infoblox Platform will capture the IP address (instead of the hostname) of the appliance in this field.
• DEVICE NAME (default grid column): The device’s name.
• DEVICE REGION: The region within a geographic area where the device is located.
• DHCP FINGERPRINT: The unique identifier formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
• DNS VIEW: The DNS version of the data being served.
• FEED: The list of threat feeds against which the malicious hit was triggered.
• INDICATOR (default grid column): The policy source from which the indicator type is being reported. The indicator can originate from an application or a category filter, from a custom list, or from a feed. Click the view on Dossier icon to view the Dossier information associated with a selected indicator. 
• MAC ADDRESS: The detected MAC address of the device.
• OS VERSION: The detected OS version of the device.
• POLICY (default grid column): The security policy against which the malicious hit was triggered.
• PROPERTY (default grid column): The property or nature of the threat. By default, the portal includes all threat properties.
• QUERY (default grid column): The domain that sent the DNS queries. 
• QUERY TYPE: The DNS query type.
• RESPONSE (default grid column): The response that Infoblox Platform has taken for the malicious hit.
• RESPONSE COUNTRY: The country where the response originated, based on the information acquired from the public IP address of Infoblox Endpoint.
• RESPONSE REGION: The region within a geographic area where the response originated. This value is based on the information acquired from the public IP address of Infoblox Endpoint.
• SOURCE (default grid column): The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
• THREAT CONFIDENCE: A scoring system for malicious hits, where confidence is rated High, Medium, or Low.
• THREAT LEVEL: The threat level for the malicious hit. This can be High, Medium, Low, or Info. Note: In some cases, a record may not contain all fields which will be represented as N/A on the user interface and NULL in the API results. 
• USER: The user who triggered the hit. For remote offices, the portal displays Unknown.
  
  

Search: Enter the keyword that you want to search on. The Infoblox Portal will display the list of records that match the keyword.

To select the information you want to display, click the triple-bar icon ☰ on the header of table Web Content Categories. To view all information, select all options; alternatively, select only the options you wish to see. To reorder information in the columns, use the up/down arrow associated with each column. For details on information provided by each column, see call-out I.

Viewing Security Activity Historical Data Report

Click Load to select a previously created report. You can view the details of a selected report in the right-hand pane of the created reports window (see call-out 2).

The details panel shows the following information for the created report:

• Header: The number of historical reports created. This list is inclusive of the Security Activity and DNS Activity historical reports. At most 10 reports can be saved at any one time. 
• Left panel: A list of created historical reports.
• Right panel: The details of a selected historical report.

• Type: The type of the report: DNS Activity report or Security Activity report.
• Data Time: The date/time period for the historical data: 1 hour (default), 24 hours, 48 hours, 7 days, 1 month, or custom.
• Created by: The name of the person in your organization who created the historical report.
• Expires: The date and time of the historical report's expiry.
• Query: A list of data queries used to configure the historical report. If queries were not configured for the report, then the response will be "No".
• Filters: A list of data filters used to configure the historical report. If filters were not configured for the report, then the response will be "No".

Image: The Created Reports pane. 

Click View on the Report panel. A total of 10 queries can be created and saved. The 10 saved queries are inclusive of DNS Activity as well as Security Activity reporting. Report names that are grayed out are not available for viewing as a Security Activity historical data query report type and denote that the data generated in the report is based on DNS Activity reports. The grayed out reports are available when you try to access historical data for DNS Activity reports.

Click Delete to remove a saved Security Activity historical data report from the list. A modal window will open and ask you to confirm that you want to delete the report. Deleting a report allows the saving of a new historical data report.

For information on creating a query, see section Creating and Saving a Security Activity Historical Data Report.

1. Once the selected historical report is generated, the results can be viewed in the Historical Data Report table. See call-out H in the diagram below.
2. You can run a search against the reported results (see call-out J), or you can export the reported results as a .csv file (see call-out H).
3. When you are finished viewing the report, click Clear Filter (see call-out C) to clear the results from the page and to reset the page to run another report.

Creating and Saving a Security Activity Historical Data Report

To create and save a Security Activity historical data report, do the following.

Image: The Security Activity Historical Data Viewer Query Builder panel.

Event Search: In the event search field, you can input search query field data and/or operators. Click the information icon to open the search criteria panel for information on configuring event searches (see call-out B).

Search Queries: Click the information icon to open the search criteria panel that shows examples of the filter and data criteria accommodated by the event search feature. The feature supports queries for searches that use the Language-Integrated Query (LINQ). Use this language to create customized queries for searching across all records in the Security Events report. By using the search query options available for generating DNS Activity historical data reports, you can do the following:

• Run a search on any of the following fields:
  • ACTION
  • CLASS
  • DEVICE COUNTRY
  • DEVICE IP
  • DEVICE NAME
  • DEVICE REGION
  • DHCP FINGERPRINT
  • DNS VIEW
  • FEED
  • INDICATOR
  • MAC ADDRESS
  • OS VERSION
  • POLICY
  • PROPERTY
  • QUERY
  • QUERY TYPE
  • RESPONSE
  • RESPONSE COUNTRY
  • RESPONSE REGION
  • SOURCE
  • THREAT CONFIDENCE
  • THREAT LEVEL
  • USER
• Use the = and the NOT (!=) operators.
• Use the AND and OR operators.
• Use the single and double quotation marks to specify values with spaces.
• Use the parentheses to group parts of a search. 
• Use the wildcard symbol (*) as the last character of the search value for a partial match.
• Press the Enter key to run a search.
• Press the Tab key to autocomplete a search with the first available suggestion.

The following are examples of search queries:

• query=domain.*AND device=52.123*
• device=office1.domain OR device=office2.domain.com
• dns_view=example-view AND query_type=A
• (source=‘infoblox Endpoint’ OR source=“example 1”) AND device=52.123*

A search by the query fields matches values by subdomains. For example, query = domain.com matches 'domain.com', 'office.domain.com', and 'space.office.domain.com’.

Filters: The filters that can be applied to a historical data report. The following filters are supported for creating and running a DNS Activity historical data report:

• Action: The configured action for the security rule. This can be Allow, Block, Log, or Redirect.

Image: The Actions pane displaying options.

• Confidence: The threat confidence score assigned to an indicator. This can be High, Medium, or Low.

Image: The Confidence pane displaying options.

• Feed: The list of threat feeds against which the malicious hit was triggered.

Image: The Threat Feeds pane displaying options.

• Class: The threat intelligence feeds, such as Phishing and MalwareC2DGA.

Image: The Classes pane displaying options.

• Level: The threat level for the malicious hit. This can be High, Medium, Low, or Info. 

Image: The Levels pane displaying options.

• Policy: Active security policies.

Image: The Policies pane displaying options.

• Source: The location and type of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. To specify the types of records you want to view, select or clear the options available. When you filter by source, the filter drop-down can show no more than 10 sources. A search option is also available. Click Clear, or click  remove the search parameters from the search field. The Source filter is populated based on the past 30 days of data. Source data is not dependent on the time selection.
• Show: To filter a DNS Activity historical data report by time and date, choose an option from the drop-down menu Show:
  • 1 hour (default time period)
  • 24 hours
  • 48 hours
  • 7 days
  • 1 month
  • Custom: any time span from the past 60 days

Image: The date/time calendar used to define a custom reporting period.  

Save: Click Save to save a created report of historical data, including the applied filter and data criteria. In the Name field, provide a name for the new DNS Activity historical data report. Click Save & Close. To verify that the report has been created, click Load and check the list of created reports in the panel on the left. Alternatively, choose not to save the report, by clicking Cancel.  

 
Image: The Add a Name pane. 

The name of the created report should appear on the list shown in the panel on the left side of the report window. 

Image: The Created Reports pane.