The SOC Insight Report Indicators tab provides a comprehensive view of the detected indicators associated with an Insight. It includes detailed information about each indicator such as the associated asset IP, user, and operating system. A maximum of 50 indicators is displayed. The tab also allows users to filter and search for specific indicators based on criteria like confidence, action, and actor. Additionally, users can export the indicator records as a CSV file or add them to a custom list for further analysis. The Indicators tab is a valuable tool for investigating and monitoring threats, providing insights into the earliest and most recent observation dates of each indicator.

Image: A detailed view of the SOC Insights - Viewing Insight Indicators dashboard used for managing SOC insights. The Viewing Insight Indicators dashboard is designed to enable users to analyze, document, and take action on cybersecurity threats, with robust data visualization and management tools.

The Dashboard

Insight Summary: The Insight Summary includes a brief description of the Insight including the type of threat associated with the insight. 

Priority Notification: The priority rating card displays the following information about the Insight:

• Priority: The Insight's priority level (High, Medium, Low, or Info).
• Date and time: The Insight's date and time of first detection and for its most recent detection. All times are adjusted to the local time zone. 
  
  

Insight ID: Roll over the truncated Insight ID displayed on the page to view the full-length Insight ID number in a tool tip.

Copy Insight: Clickthe copy icon to copy the insight to the clipboard. 

Edit insight: Click the edit icon to change the status of an insight. The Insight Change Status window will appear. In the window, you can change the Insight status from Insight Open to Insight Close or Insight Close to Insight Open by toggling the status switch. Optionally, you can leave a comment in the text field at the time of the status change. Finally, you can read prior comments associated with the Insight. Click Save & Close to complete the Insight status change. Do note that the Save & Close button will not be accessible (it will be grayed out) until such time a status change has been made for the Insight.      

Image: A detail view of the Edit Insight window. 

Share & Export Options: Click Share & Export to share a selected Insight within your organization. The Share Insight window will appear, allowing you to choose any or all information associated with an Insight. Raw logs can be downloaded in zip format while the Summary can be downloaded as a PDF by clicking Download. 

Image: A detail view of the Share Insight window. 

Select/Unselect: Click Select All to select all Asset records. Alternatively, click Unselect All to deselect all selected Asset records. To select a specific record, place a check in the box associated with it.  

Collapse All / Expand All: Click Collapse All to collapse all records on the page. Click Expand All to expand all records on the page.

Add to Custom List: Click Add To Custom List to add to a custom list. In the Add to Custom List window, you can select what custom list or lists to add assets. You can also remove assets from a custom list or lists. Click Add to complete the Add to Custom List operation. For information on Custom lists, see Managing Custom Lists.

Image: A detail view of the Add to Custom List window. 

Indicator Chart: The interactive indicator chart displays data about the asset including the date and time the events occurred, the number of events detected at a specific date and time, and the total number of events detected. Click on a data entry in the chart to view detailed information about events associated with the indicator.

Infoblox Research Notes: Indicator research notes obtained from the I(nfoblox cybersecurity intelligence team. Click Research Indicator in Dossier to view the Dossier Summary report for the indicator. 

Indicator information: The indicator information includes the following:

• Indicator: A description of the threat associated with the indicator along with its blocked/unblocked status. . Click Asset IP to see information about the IP address, including the IP address or addresses associated with the asset and the Date range (first observed detection date and last observed detection date) associated with the IP address. 
• Infoblox's Action/Notification: Provides information about the Insight along with recommended actions. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour.
• Assets: The number of prtected assets associated with the insight.
• Threat Level: The Infoblox threat level assigned to the threat (High, Medium, Low, or Info).
• Confidence Level: The Infoblox confidence level assigned to the threat (High, Medium, Low, or Info). 
• First Observation: The date and time the indicator was first observed on the network.
• Last Observation: The date and time oif the last observation of the indicator on the network
  
  

Search: Enter a search criterion in the Search text box. The Infoblox Portal will show all records that match the criterion.

Total indicators: The number of indicators associated with the insight.

Exporting Indicators/Adding Indicators to a Custom List:

1. Click to complete one of the following tasks: followed by clicking one of the following options: 
2. Click Export to CSV to download the indicator record as a .csv file.
   
   Image: A detail view of Export to CSV or Add Indicator to the Custom List menu. 
   
   
3. Click Add Indicator(s) to Custom List.
4. In the  Add to Custom List window you can select what custom list or lists to add the indicator or indicators. You can also remove indicators from a custom list or lists. Click Add to complete the Add to Custom List operation.
   
   Image: A detail view of the Add to Custom List window. 
   
   
5. In the  Add to Custom List window you can select what custom list or lists to add the indicator or indicators. You can also remove indicators from a custom list or lists.
6. Click Add to complete the Add to Custom List operation.

For information on Custom lists, see Managing Custom Lists.

Expand/Close: Click the down-facing arrow icon to expand the details panel where you can view detailed information associated with the selected Insight. Click the up-facing arrow icon to close the details panel.

Filtering: Clickthe filter icon to open the filtering panel. In the filtering panel, the following filtering criteria:

• Confidence: Confidence in the context of Insightful Reporting refers to the level of certainty or trustworthiness assigned to a threat or insight. It is a measure of how reliable the information is and how likely it is to be accurate. The confidence score can be assigned by the user and is used to determine the severity and priority of the threat.
• Indicator: An indicator is a DNS detection and response (DDR) that represents a domain or IP address seen in the resolution chain of a query from a device. It provides valuable information about the associated asset IP, user, and operating system. The Indicator Definition helps users understand the meaning and significance of the indicators displayed in the Insight Reporting interface.
• Action: Action is whether the indicator is blocked or Not Blocked.
• Actor: A DNS Threat Actor is an entity which controls the DNS (i.e. domain names, IP addresses, and other DNS record information) internet content and services. Typically, an actor is only distinguished when they control a number of domains and have persistent activity over time. A DNS Threat Actor is one using their infrastructure for nefarious purposes.

Image: A detail view of the filtering pane. 

Filtering can be performed using one or more filtering criteria. Multiple filters can be used simultaneously when filtering records.

You can also do the following on the page: 

• Background Tasks: Click the hourglass icon to open the side panel to view a list of all running background tasks. 

• Search: Click the search icon in the Search text box, then enter your search criterion. 

• Click <Back to Console of Insights to return to the Open Insights console.