Document toolboxDocument toolbox

Devices

Owned by Gary Leicht
Last updated: Sept 06, 2024
3 min read

The Devices tab includes all security data associated with devices assigned to a policy on your network. You can view of assets identified from your network traffic. To export the All Devices table data in csv format, click Export. The default file name is security-activity_devices.csv. Exported data is limited to 10,000 records.

Performing Search Queries

The search feature supports using queries to perform searches using the integrated search query language.  Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available in the Devices report, you can:

  • Run a search on any of the following fields:
    • ACTION
    • CLASS
    • DEVICE NAME
    • DHCP FINGERPRINT
    • DNS VIEW
    • FEED
    • MAC ADDRESS
    • OS VERSION
    • POLICY
    • PROPERTY
    • QUERY
    • QUERY TYPE
    • RESPONSE
    • SOURCE
    • USER
    • THREAT_CONFIDENCE
    • THREAT_LEVEL
  • The = and the NOT (!=) operators
  • Use AND and OR operators.
  • Use single and double quoted to enter values with spaces.
  • Use parentheses to group search parts. 
  • Use the wildcard symbol (*) as the last character of the search value for a partial match.
  • Use the ENTER key to apply search.
  • Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries

The following are search query examples:

  • query=domain.* AND device=52.123*
  • device=office.1.domain.com OR device=office2.domain.com
  • dns_view=example-view AND query_type=A

  • (source=’Infoblox Endpoint’ OR source=“example 1”) AND device=52.123*

    Search by the query fields matches values by subdomains. E.g. query = domain.com
    matches
    'domain.com', 'office.domain.com', 'space.office.domain.com

Note

All search values are case sensitive. A maximum of five operators can be used when constructing a query search.

Filtering the Devices Tab

To filter All Devices events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu:

  • Level: The threat level for the malicious hit. The threat level can be High, Medium, or Low.
    Confidence    : The threat confidence score assigned to an indicator. The confidence level can be High, Medium, or Low.
  • Property: The nature of the threat. The portal includes all threat properties.
  • ClassThe threat intelligence class, such as Phishing, MalwareC2DGA, and others associated with the targeted domain.
  • Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available.
  • OS: The operating system of the device. 

  • Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 

    Note

    Depending on the availability of data records, not all filter options may be displayed.

The All Devices table displays the following information by specific criteria. Select the applicable objects from the following column drop-down menus:

  • DEVICE NAME: The name of the device being used when the event was triggered.
  • REQUESTS: The request type. Clicking the number of requests in the REQUESTS column associated with a device name, allows you to pivot off the record and display all security events associated with the device name. 
  • SOURCE: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
  • DHCP FINGERPRINT: Identifies IPv4 and IPv6 mobile devices such as laptop computers, tablets, and smartphones on your network. Due to the broadcast and pervasive nature of DHCP, using DHCP fingerprint detection is an efficient way to perform system identification and inventory. You can use DHCP fingerprint detection to track devices on your network. 
  • OS/VERSION: The version of the device's operating system making the request.
  • MAC ADDRESS: The detected MAC address of the device.

  • USER: The user that triggered the hit. For remote offices, the portal displays Unknown for these users.

    Note

    You can enable and disable custom fields by clicking on the icon located in the top, right-hand corner of the table, and selecting or deselecting which custom fields you want to view. All fields can be selected or deselected, or they can be returned to the default configuration by clicking Restore to default GRID setting.

    Export Records

    Click Export to download a CSV file of report records. The maximum number of exported Devices report records is 10,000.