This blog discusses the report #6 in a series of seven top security reports that can help you defend against bad actors.
Infoblox Out-of-the-Box Report Threat Protection – Top Rules by Source
This report lists the top source IP addresses that trip each threat rule as identified through ADP threat intelligence. For network teams, this report gives visibility to which devices on the network are doing bad things or impacting network performance, so you can take corrective action like shutting-off the port or removing the device from the network. For security teams, it provides visibility when there is trouble on the network, so the admin can intervene with the system manager, initiate a virus scan, or pursue a variety of other actions. It also enables admins to tune the threat rule thresholds for which traffic they want to allow or block. A typical security use case is when an admin suspects that a client device is infected with malware, and they need to conduct a forensic investigation to determine what the malware is doing within the DNS infrastructure and determine the malware attack methodology and frequency.
|Top Report #6: Threat Protection
Top Rules by Source
|Service Area||Infrastructure Protection|
|Purpose||Lists the top source IPs hitting each threat rule|
|Primary User||Network & Security Admins|
|Importance||Identifies clients that are attacking the server the most & the rules they trigger, & enables admins to tune rule thresholds better|
|Use Case||A security admin knows a client is infected by malware, but to drill deeper into malware forensics, this report shows the malware attack methodologies and frequencies|
|Available||Out-of-the-box & requires Advanced Data Protection (ADP)|
This report is accessed through the security dashboard and requires ADP. It includes filters for time, top number of rules, a counter, members, source IP address, rule names, source port and viewing options by bar chart, table or both. The report then displays the source IP, the number of logged events associated to that IP, the top security rules by name that were violated, and when they last tripped those rules. This provides the visibility and forensic capability needed to identify bad actors, see what they’re doing, the security rules they’re breaking and the impacts they’ve had on the network, so the admin can modify the rules and take quick, corrective action.
Here are the seven (7) security reports that can give you an edge over the bad actors.
- Top Security Report #7: DNS Top NXDOMAIN – NOERROR
- Top Report #6: Threat Protection – Top Rules by Source
- Top Report #5: Top Malware & DNS Tunneling by Client
- Top Report #4: Tunneling Traffic by Category
- Top Report #3: DNS Top Tunneling Activity
- Top Report #2: Malicious Activity by Client
- Top Report #1: DNS Top RPZ Hits
- Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
- As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.