Viewing Threat Actor Insights

Threat actors can vary in motives, capabilities, and resources based on their goals and affiliations. Common types of threat actors include cybercriminals, hacktivists, state-sponsored actors, and insider threats. These threat actors employ a range of methods and tools to exploit vulnerabilities, steal data, disrupt operations, or inflict damage to their targets.  

Image: A detailed view of the Threat Actor dashboard, which provides a comprehensive view of threat actors observed on your network. The interface is divided into several sections with various functionalities. The dashboard provides sophisticated tools that enable cybersecurity professionals to monitor, analyze, and respond to threat actors in real-time. It is designed to provide a quick overview while also allowing for in-depth analysis and immediate action to protect against identifed threat actors.

Open/Closed: Click OPEN to view open insights. Click CLOSED to view closed Insights. 

Threats/Configurations/Actors View: The default page displays threat view information about insights observed on your network. The Threats view is displayed by default on the Insights dashboard page. Click Configuration to view configuration information for insights. Click Actors to view information on threat actors on your network. Click on either Threats , Configuration, or Actors to toggle between the two views. Note: The Threats,Configurations, and Threat Actors pages are available on a license basis.

Search: Enter a search criterion in the Search text box. The Infoblox Portal will show all records that match the criterion.

Filtering: Click the filter icon  to open and close the filtering panel. You can filter threat actors based on the actor name. 

Dashboard Reporting: The dashboard displays three cards, each displaying information about the open insights reported on your network. The four small cards display the following information:

• Total Threat Actors: The total number of threat actors currently reported on your network.

• Total Assets impacted: The total number of assets on your network affected by the presence of the threat actors. 

• Total Threat Domains: The total number of threat domains on your network. 
  
  

Threat Actor Highlights: This information card displays a choice of two charts:

• Threat Types (default view): A chart of threat types observed on your network displayed in a list format. Click on the hyperlink associated with any one of the threat types listed on the chart to view its details. In the details window you can view the threat type's threat class and threat family.  
  
  
  Image: The Threat Actor Highlights panel displaying a list of information about the threat actors observed on your network.
  
  
  Image: The Threat Actor Highlights details window displays the threat type's threat class and threat family.  
  

• Threat Actors: This visual representation in the form of a donut chart provides numerical and percentage data on the specific threat actors observed on your network, in comparison to all other observed threat actors. By hovering over the colored sections of the donut chart, you can view the specific number and percentage of each threat actor type present on your network.

  
  
  Image: The Threat Actor Highlights panel displaying information about the threat types observed on your network.
  
  

Sort by: Click Sort by to see the list ofthreat actors sorted by threat actor name. 

Insight Settings: Click Insight Settings to open the Insight Settings pane. In the Insight Settings pane, actions can be assigned to Insight types. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour. The following information is available in the pane:

• INSIGHT TYPE: The type of Insight. Options include
  • DNS Tunneling
  • NXDomain
  • Open Resolver
  • Outlier
  • Lookalike Threat
  • Spear Phishing
  • DGA
  • Major Attack
  • Zero Day DNS
• ACTIONS: Actions can be assigned to Insight types. Action options which can be applied include Nothing, Add to Allow List, and Add to Block List. If the action for the same Insight type is changed multiple times within one hour, then after one hour, only the latest action updated in the database will be applied to all the events that occurred during the past hour.

Image: The Insight Settings window. 

Selecting threat actors: Place a check in the checkbox next to a threat actor to select it. You can select multiple threat actors by placing checks on the checkboxes associated with the desired threat actors. 

Details Pane (default and expanded view): The Details pane displays information about the threat actors on your network. The default details panel view displays the threat actor name, the insight creation and the last observed dates and times, and a clickable link to investigate the insight. 

Image: The default view of the Details pane. 

In addition to the threat actor information displayed in the default view of the details pane , the expanded pane also includes the following information:

• Interactive chart: An interactive chart shpwing the dates of detection for the threat actor. In the top right corner of the chart, the total number of events that correlate to the threat actor over the entire time span is displayed. 
• Description: A brief description of the threat actor.  
• Assets Affected: The number of asserts on the network affected by the threat actor. 
• Indicators Associated: Th number of indicators associated with the threat actor. 
• Associated Threat Types: the number of threat types associated with the threat actor. 

Image: The expanded view of the Details pane. 

Last observation and first observation dates and times:The last and first dates including the time of day the threat actor was observed.

Investigate insight: Click Investigate Insight to view Insight Summary, Assets, Indicators, Event, Comments, and Threat Categories pages. Each page displays important information about insights detected on your network. 

Expand/Close: Click the down-pointing arrow icon to expand the details panel where you can view detailed information associated with the selected Insight. Click the up-pointing arrow icon to close the details panel.

Triggered Events (applicable to specific DNS tunneling insights only) (to be moved to the Summary page -***

 SOC Insights will provide information on DNS tunneling insights.  When this scenario occurs, a trigger event will be reported. The information is reported as part of the summary report. The information will contain all pertinent facts about the detection, including what and why the event was triggered. In the screenshot below, the information about the triggered event is displayed in the purple-colored box located in the bottom left-hand corner of the UI screen.  For information, see Viewing Insight Summary.

Image: The SOC Insights Summary page displaying triggered events and why the event was detected. 

You can also do the following on the page: 

• Background Tasks: Click the hourglass to open the side panel to view a list of all running background tasks. 

• Search: Click the search icon in the Search text box, then enter your search criterion. 

• Pagination Controls: At the bottom left, there are controls for navigating through different pages of insights, indicating that there is more data available beyond what is displayed on the current page. Click on the number of insight records to display on the page. The options include, 25, 50, or 100.