This document describes the reporting features of ThreatSTOP's DNS Defense.

Overview

ThreatSTOP DNS Firewall Reporting focuses on delivering high-quality easily understood reports to Network Administrators and Security Professionals. This allows for rapid evaluation and remediation of threats to a network. The bulk of this process is controlled through a selection of filters that ring down as the user moves through the data.

Filters

Basic filter functions are:

  • Date Range: This is the period that the report covers. Available values are:
    • Last 24 Hours
    • Last 7 Days
    • Last 30 Days Custom ranges can be declared by clicking in the Start Date or End Date fields and selecting from a calendar pop-up. Or, dates and times may be entered using an MM/DD/YY HH:MM:SS format.
  • Severity: The severity level of the threat recorded, threat levels break down into five levels in order of increasing severity. Severity levels are described here
  • Devices: Contains a list of firewall devices associated with your account. This can help limit the returns to a specific firewall device.
  • Client IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting.
  • Target Groups: Limits the returned Targets to the selected types.
  • Queried Name: Can search for a domain name in the log files.
  • Action Taken: Limits results based on what actions were taken with the network traffic.
    • Blocked (NXDOMAIN): Network traffic is blocked with a “no such domain” error.
    • Blocked (NODATA): Network traffic is blocked with no data regarding the domain’s existence.
    • Blocked (DROP): Network traffic is dropped, with no information provided to the requesting service.
    • Pass-Through: Network traffic may access the requested system.
    • Redirected: Network traffic is that have been pointed to a different location such as a Walled Garden.
  • Advanced Target Settings:
  • Only targets present in policy: This filter will limit the returned results to only those targets in the current policy, and does not include returns from lists not included in the chosen policy.
  • Trigger type: Includes targets based on the action that triggered the firewall to take an action.
    • QNAME: the Qualified Name (QNAME) matches an entry in the RPZ.
    • NSDNAME: the Name Server Domain Name (NSDNAME) matches an entry in the RPZ.
    • RPZ-IP: the Response Policy Zone (RPZ) requested matches an entry in the RPZ.
    • NSIP: Name Server IP address (NSIP) matches and entry in the RPZ.
  • Policies: Limits returned data to the policy selected.

After setting the desired parameters to limit the data being returned by the reporting system, clicking Apply Filter will apply the filters to the returned results, this will then update the report with data that matches the selected criteria. If applied filter values are no longer of use, they can be returned to the default state by clicking Reset.

Report types

Dashboard

The Dashboard screen summarizes the number of requests for severity, the machines in each severity, and the request types for each threat group recorded by the firewall. It also introduces filters to limit the data returned by the report. After selecting the base filter parameters as denoted in the overview, bar graphs showing returns for the result types will appear:

  • Number of requests for each Severity: cumulative result, based on your filter settings, for the number of threats documented by severity level.
  • Number of machines for each Severity: number of devices with reported connection attempts.
  • Number of requests for each Threat Group: number of Threat Types attempting to make a connection using your network.

Threat Summary

The Threat Summary screen is brought up either by selecting it from the RPZ Reports drop-down or by clicking on a results bar in the Dashboard. Across the top of the screen, a bar graph will appear with a visual representation of the cumulative attacks classed as each Severity level.

This report breaks down the count of connection attempts per severity level, from five (the most critical) to any User Defined threats. Each connection type is noted and the number of connection attempts made. The breakdown is provided in an accordion list, any severity levels that do not return results will appear collapsed, while severity levels that return results will list them with the following data:

  • Threat Severity: How questionable the target is. Severity 5 threats are listed at the top, and the Severity 0 are listed at the bottom.
  • Target: Threat List entry associated with the URI being accessed. In our example, a botted computer attempted to access a URI associated with DCNC - BOTNET DOMAINS.
  • Matches: number of times a device attempted to access the associated URI. Staying with our example the machine(s) attempted to access the URI associated with DCNC - BOTNET DOMAINS 2,178 times.

Clicking on the line associated with the threat you want to investigate will drill down to the Report Details, this will open a list of, up to, 5,000 connection attempts to the Target clicked on.

Client IP Summary

The Client IP Summary breaks down threats as they were seen by client IP addresses. These are then refined by severity level, cumulative communications for that severity level, then by the Target type and number of communication attempts for each target type.

The bar graph shows threats by severity in least-to-worst order. Severity Zero threats are always displayed on top, and severity Five threats are always displayed on the bottom. The listed breakout is displayed in an identical fashion. Clicking on a severity will display the Report Details screen, for only the threats in that severity level. Clicking a threat will display all entries for attempts to connect to threats in the target.

The fields returned by this report are:

  • IP Address: listing for the device that made the request. This device will have attempted to communicate with an FQDN in the target list.
  • Threat Severity: How questionable the target is. User-Defined targets are listed first, with the worst offenders (Severity 5) listed at the bottom.
  • Threat Target: The target type that the device was attempting to communicate with, the potential target types and their severity can be seen in DNS Firewall Reporting.
  • Connection Attempts: The number of times a single device in the filter attempted to communicate with a threat target.

Combined Summary

Similar to the Client IP report, the Combined Summary report returns all recorded communications by all clients. The bar graph is laid out in an identical fashion to the Client IP report, with the highest Severity issues on the bottom, and the lowest priority at the top. The primary difference is in the report itself. The report is not broken down by individual IP address instead, the displayed results are the cumulative result of all devices in the report that match the chosen criteria. These results can then be drilled down into which will bring up the Report Details screen, allowing the individual devices making these communication attempts to be viewed.

Fields displayed for the report include:

  • Threat Severity: How questionable the target is. Severity 5 are listed at the top, and Severity 0 are listed at the bottom.
  • Threat Target: The target type with which the device was attempting to communicate.
  • Connection Attempts: The number of times all devices in the filter attempted to communicate with a threat target.

Date Summary

The DNS Date Summary shows communications attempts based on the date and Severity level of the communications. The report itself shows the number of communication attempts, the date of the attempts, and the severity level with each higher severity level having a brighter shade of red. These settings can increase the resolution of the returned results:

  • Date Summary Reporting Period: Adjusts how fine-grained the returned results are, available values are:
    • Hourly: Shows communications attempts by the hour and day.
    • Daily: Shows communications attempts for the day.
    • Weekly: Shows communications attempts for the week.
    • Monthly: Shows communications attempts for the month.
  • Inbound/Outbound: This switch returns results based on the direction the traffic was flowing, into the network or out of the network respectively.

The reports themselves contain the following data:

  • A timestamp showing the date and time a communication was made. This is up to the nearest hour with hourly reports.
  • Below this the returned values are processed out by severity level and the number of connection attempts for that severity.

Top 20 IOCs

Threat Severity: How questionable the target is. Severity 5 are listed at the top, and Severity 0 are listed at the bottom. Threat Target: The target type with which the device was attempting to communicate. Connection Attempts: The number of times all devices in the filter attempted to communicate with a threat target.

This report returns the 20 most frequently detected IOCs for the selected time period. The bar graph at top is sorted by the most frequently encountered IOCs, descending from left to right. The report is broken down by IOC, threat severity and threat target. The results can then be drilled down into which will bring up the Client IP Summary report (described above), allowing the individual devices that have made these communication attempts to be viewed.

Fields displayed for the report include:

  • Threat Severity
  • Target
  • Connection Attempts: The number of times all devices in the filter attempted to resolve a domain associated with a target.

Report Details

This report establishes details about the devices attempting to connect to a threat, 50 entries at a time, with up to 5,000 total threats displayed for a filter set.

Data is broken up into columns and displayed in a tabular format, columns displayed can be controlled using the Columns button. The data can be sorted by clicking the column header. This will reprioritize the order that data is provided.

The settings are available, columns not turned on by default are noted:

  • Time: Date and time a connection attempt to the requested FQDN was made. This is displayed in this format: YYYY-MM-DD HH:MM:SS Device: Nickname of the device that processed the request.
  • Client IP: IP Address of the Client that made the FQDN request. Devices listed here should be taken down for remediation. This is a default setting.
  • FQDN Requested: The URI for the FQDN the system was attempting to contact.
  • Action: The action performed by the device, these can be one of four default settings or several custom settings as provided by Policies & Lists > RPZ Behaviors default behaviors include:
    • NXDOMAIN: Reply to the query indicated that the domain does not exist.
    • NODATA: Reply to the query indicated the record does not existing.
    • PASSTHRU: Request was whitelisted and allowed to be made.
    • DROP: No reply was made to the query.
  • Cause: The reason the action was taken, can be one of two reasons:
    • QNAME: The FQDN is listed in the RPZ zone.
    • IP: One of the IP addresses in the response is listed in the RPZ zone.
  • Record: Contains the FQDN, or IP address that caused the DNS query to match.
  • Targets: Details which targets the record is listed in.
  • ID: This is a hash of the log line in the report. This is used for diagnostic purposes, and may occasionally be requested by ThreatSTOP Support.

The returned results can be exported in a CSV file by clicking on the Export to CSV button. This will compile the results into a Comma Separated Value (CSV) file that can be processed by most spreadsheet programs.

DNS Email Reports

Email reporting for both DNS and IP firewalls is covered in our Email Reports article.