Security Activity Report
- Gary Leicht
The Security Activity Report provides comprehensive security and traffic data in your network over a specified time period. The report includes data on redirecting, blocking, allowing, and interacting with security protections enforced through an Infoblox security policy. To view the Security Activity Report, navigate to the Reports section in the Infoblox Portal (Monitor > Reports > Security Activity). The default report displays a bar chart showing the distribution of malicious hits throughout your networks over the most recent one hour time span. The default report also lists detailed information about the respective threats detected at the bottom of the report in the Events table.
Reported Threat Classes and Properties
For information on the threat classes and properties reported, see the Infoblox Threat Classification Guide located in the Infoblox Portal ( Monitor > Research > Resources > Classification Guide). To view the full guide without logging into the Infoblox Portal, see Infoblox Threat Classification Guide.
Search Tool
The Search Tool is located above the Requests chart on the top, left-hand side of the page. The search data is pulled directly from the server To use the search tool paste or type in your search terms into the search field box. Alternatively, by clicking in the search field and typing the first few letters of your search query an option menu listing popular search terms will be displayed. A power search feature utilizing a new, powerful search query language is also supported.
Performing Search Queries
Using the search query language, you can search all records with customized queries. By clicking the
icon located next to the search box, the Query Syntax resource window will appear. You can view sample search queries using the new search query syntax as provided in the tool-tip. Using the sample queries provided, you can construct your own queries to better assist in your searches. Refer to the specific sub-report to view the specific search queries applicable for that report.
Traffic Reports by Type
At the top action bar, you can view security activity traffic interacting with Infoblox policy engines. The security activity traffic reports includes the total number of Security Events (inclusive of all reports), DNS Firewall, (data including Server, DFP, RPZ), Web Content, (traffic filtering by specific categories), Threat Insight (including data exfiltration, activity, with device and users as pivots with user views) , Devices (devices/assets on the network), Users (user names when detected), and information on the Source of reported traffic in your infrastructure. You can also get specific data associated with any one of these security activity report traffic types by clicking on its respective link. When you click a link, the corresponding overlay chart for the specific type of security activity report is displayed. For example, when you click Security Events, a chart depicting each security event will be displayed, providing you with insight into the detected security events. This information can help you identify the top security events within your networks so you can take appropriate corrective actions. Note that the total number for these fields stay the same regardless of the filtering criteria you have configured for the report.
Time and Date Filtering
Clicking Show, located to the right-hand side of the page below the top Action bar, allows filtering of records by both time and date. The time period displayed can be modified from 1 hour to 1 month. Optionally, by selecting Custom and choosing From and To values, a custom time period can be chosen. Filtering is limited to 100 responses at a time. You can select a different time frame from the Show drop-down menu. Show options include the following:
- 1 hour
- 24 hours (default)
- 48 hours
- 7 days
- 1 month
- Custom (limited to 31 days of data)
When Custom is selected, the following date/time filters appear, allowing further customizing of the respective date and time.
- From: When selected a time dial and calendar appears where a time and date can be selected for the start time/date.
- To: When selected a time dial and calendar appears where a time and date can be selected for the end time/date.
Records Refresh
Clicking the refresh icon located to the left of the time/date filtering tool, allows you to refresh the records on the page without refreshing and reloading the entire page and losing your in-place filters.
Charts
The chart displays all data collected for a specific security activity event type. Information in the Requests Chart will reflect the type of activity type selected, along with the number of events detected during the span of time indicated in the chart. Each green-colored bar on the chart corresponds to a specific time interval within the chosen time span displayed. By rolling over each bar, the number of events, the time interval, and the date of the bar are displayed in a tool-tip window.
Table
The table, located below the chart displays data collected for the selected security activity event type. The default layout is automatically loaded for viewing: however, the table can be customized by adding additional types of report information. To add additional information to a table, clickthe expandable menu icon to select and display from the other additional information types listed in the option window. By default, events are displayed in chronological order based on information contained within the Detected column. Each of the columns can be sorted or reverse-sorted by clicking on the header label for the column.
Located in the bottom-left corner of the table, the total number of table records is displayed. For instance, if there are 984 records available when unfiltered, then the table will display the following: Showing 984 of 984. If only 143 records are available after applying filters, then the table will display the following: Showing 143 of 984. The maximum number of records the UI can display is 10,000. Located in the bottom-right corner of the table the number of pages of records is listed. You can click on a page link to view the records for that page.
Records Export
Click Export to export report data in csv format. Based on report type, the maximum number of records available for export varies. Refer to the table below to view maximum number of records available for export based on report type.
Report Type | Maximum Number of Records Available for Export |
|---|---|
| Security Events | 50,000 |
| DNS Firewall | 50,000 |
| Web Content | 50,000 |
| Threat Insight | 10,000 |
| Threat View | 10,000 |
| Source | 10,000 |
| Devices | 10,000 |
| Users | 10,000 |
| Insights | 10,000 |
Details Panel
The details panel is located on the right-hand side of the Requests table. The details panel displays all information associated with a selected security activity event available in the table, but is displayed in a list format. The details pane is only viewable when there is additional information available that is not posted in the chart.
Security Activity Historical Data Reports
Security Activity Historical Data reporting offers the capability to access data that goes back beyond the usual 30-day limit. To access historical data, you can create custom historical data reports by configuring queries and filters according to your organization's specific requirements. These customized reports allow you to obtain the precise historical data you need. It's important to note that saved historical data reports will be retained for a maximum of 30 days, after which they will be automatically deleted from the system.
To navigate to Security Activity Historical Data reporting, on the Security Activity page, click Historical Data Viewer located in the top, right-hand corner of the Security Activity report page.
For information on creating and running a historical data report, and viewing the report data, see Security Activity Historical Data Report.
Security Activity Report Descriptions
The following Security Activity Report tab descriptions provide more details specific to each report type: