Reporting for ThreatSTOP Roaming Devices focuses on delivering high-quality easily understood reports to Network Administrators and Security Professionals. This allows for rapid evaluation and remediation of threats to a network. The bulk of this process is controlled through a selection of filters that ring down as the user moves through the data.
Basic filter functions are:
- Date Range: This is the time period that the report covers. Available values are:
- Last 24 Hours
- Last 7 Days
- Last 30 Days Custom ranges can also be used by clicking in the Start Date or End Date fields and selecting from a calendar pop-up. Alternatively, the dates and times may be entered in these fields using a MM/DD/YY HH:MM:SS format.
- Severity: The severity level of the threat recorded, threat levels break down into five levels in order of increasing severity.
- Devices: Contains a list of firewall devices currently associated with your account. This can help limit the returns to a specific firewall device.
- Client IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range.
- Target Groups: Limits the returned Targets to the selected types.
- Queried Name: Can be used to search for the existence of a domain name in the log files.
- Action Taken: Limits results based on what actions were taken with the network traffic.
- Blocked (NXDOMAIN): Network traffic is blocked with a “no such domain” error.
- Blocked (NODATA): Network traffic is blocked with no data regarding the domain’s existence.
- Blocked (DROP): Network traffic is that are dropped, with no information provided to the requesting service.
- Pass-Through: Network traffic is that are allowed to pass through to the requested system.
- Redirected: Network traffic is that have been pointed to a different location such as a Walled garden.
- Advanced Target Settings:
- Only targets present in policy: This filter will limit the returned results to only those targets in the current policy, and not does not include returns from lists not included in the chosen policy.
- Trigger type: Includes targets based on the action that triggered the firewall to take an action.
- QNAME: the Qualified Name (QNAME) matches an entry in the RPZ.
- NSDNAME: the Name Server Domain Name (NSDNAME) matches an entry in the RPZ.
- RPZ-IP: the Response Policy Zone (RPZ) requested matches an entry in the RPZ.
- NSIP: Name Server IP address (NSIP) matches and entry in the RPZ.
- Policies: Limits returned data to the policy selected.
After setting the desired parameters to limit the data being returned by the reporting system, clicking Apply Filter will apply the filters to the returned results, this will then update the report with data that matches the selected criteria. If applied filter values are no longer of use, they can be returned to the default state by clicking Reset.
Some reports will also display a Save/Edit email report button below the filter settings. See Email Reports for more information.
As filters are changed a box will appear at the top of the filter stack labeled Filter Information. This box will show how many records the current filter set will return, with smaller returns displaying faster. This can also be helpful in building a filter strategy for your returned results in the Report Details section.
The Dashboard screen gives an overview of the number of requests for severity, the number of machines listed in each severity, and the number and type of requests for each threat group recorded by the firewall. It also introduces filters to limit the data returned by the report. After selecting the base filter parameters as denoted in the overview, a series of bar graphs showing results for the following result types will appear:
- Number of Requests for each Severity: cumulative result, based on your filter settings, for the number of threats documented by severity level.
- Number of Machines for each Severity: number of devices that have reported connection attempts in the reporting.
- Number of Requests for each Threat Group: number of Threat Types attempting to make a connection using your network.
The Threat Summary screen is brought up either by selecting it through the RPZ Reports drop down, or by clicking on a results bar in the Dashboard. Across the top of the screen a bar graph will appear with a visual representation of the cumulative amount of attacks classed into each Severity level.
This report breaks down the total number of connection attempts per severity level, from five (the most critical) to any User Defined threats. Each connection type is noted as well as the number of connection attempts made. The breakdown is provided in an accordion list, any severity levels that do not return results will appear collapsed, while severity levels that do return results will list the results with the following data:
- Threat Severity: How questionable the target is. Severity 5 threats are listed at the top, and the Severity 0 are listed at the bottom.
- Target: Threat List entry that has been associated with URI being accessed. In our example a botted computer attempted to access a URI associated with DCNC - BOTNET DOMAINS.
- Matches: number of times a device attempted to access the associated URI. Staying with our example the machine(s) attempted to access the URI associated with DCNC - BOTNET DOMAINS 2,178 times.
Hardware ID Summary
The Hardware ID Summary breaks down threats seen by each endpoint. These are then refined by severity level, cumulative communications for that severity level, then by the Target type and number of communication attempts for each target type. The bar graph at top shows threats by severity in least-to-worst order. That is, severity zero threats are always displayed on top, and severity five threats are always displayed on the bottom. The listed breakout is displayed in an identical fashion. Clicking on a given severity will display the Report Details screen, for only the threats in that severity level. Clicking a threat will display all entries for attempts to connect to threats in the given target.
The fields returned by this report are:
- Hardware ID: listing for the device that made the request. This device will have attempted to communicate with a FQDN in the target list.
- Threat Severity: How questionable the target is. User-Defined targets are listed first, with the worst offenders (Severity 5) listed at the bottom.
- Threat Target: The target type that the device was attempting to communicate with, the potential target types and their severity can be seen in DNS Firewall Reporting.
- Connection Attempts: The number of times a single device in the filter attempted to communicate with a threat target.
Similar to the Client IP report, the Combined Summary report returns all recorded communications by all clients. The bar graph at top is laid out in an identical fashion to the Client IP report, with the highest Severity issues on the bottom, and the lowest priority at the top. The primary difference is in the report itself. The report is not broken down by individual IP address, instead the displayed results are the cumulative result of all devices in the report that match the chosen criteria. These results can then be drilled down into which will bring up the Report Details screen, allowing the individual devices that have made these communication attempts to be viewed.
Fields displayed for the report include:
- Threat Severity: How questionable the target is. Severity 5 are listed at the top, and Severity 0 are listed at the bottom.
- Threat Target: The target type with which the device was attempting to communicate.
- Connection Attempts: The number of times all devices in the filter attempted to communicate with a threat target.
The DNS Date Summary shows communications attempts based on the date and Severity level of the communications. The report itself shows the number of communication attempts, the date of the attempts, and the severity level with each higher severity level having a brighter shade of red. The following settings can be applied to increase the resolution of the returned results:
- Date Summary Reporting Period: Adjusts how fine grained the returned results are, available values are:
- Hourly: Shows communications attempts by the hour and day.
- Daily: Shows communications attempts for a given day.
- Weekly: Shows communications attempts for a given week.
- Monthly: Shows communications attempts for the month.
- Inbound/Outbound: This switch returns results based on the direction the traffic was flowing, into the network or out of the network respectively.
The reports themselves contain the following data: A time stamp showing the date and time a communication was made. This is up to the nearest hour in the case of hourly reports. Below this the returned values are processed out by severity level and number of connection attempts for that severity.
Top 20 IOCs
This report returns the 20 most frequently detected IOCs for the selected time period. The bar graph at top is sorted by the most frequently encountered IOCs, descending from left to right. The report is broken down by IOC, threat severity and threat target. The results can then be drilled down into which will bring up the Hardware ID Summary report (described above), allowing the individual devices that have made these communication attempts to be viewed.
Fields displayed for the report include:
- Threat Severity
- Connection Attempts: The number of times all devices in the filter attempted to resolve a domain associated with a target.
The report details establishes details about the device(s) attempting to connect to a threat, 50 entries at a time with, up to, 5,000 threats total displayed for a given filter set.
Data is broken up into columns and displayed in a tabular format, columns displayed can be controlled using the Columns button. Additionally the data can be sorted by clicking the column header. This will reprioritize the order that data is made available to the user.
The following settings are available, with columns that are not turned on by default are noted:
- Time: Date and time a connection attempt to the requested FQDN was made. This is displayed in the following format: YYYY-MM-DD HH:MM:SS
- Device: Nickname of the device that processed the request.
- Client IP: IP Address of the Client that made the FQDN request. Devices listed here should be taken down for remediation as soon as possible. This is a default setting.
- FQDN Requested: The URI for the FQDN the system was attempting to contact.
- Action: The action performed by the device, these can be one of four default settings, or a number of custom settings as provided by Policies & Lists > RPZ Behaviors default behaviors include:
- NXDOMAIN: Returns a message saying that this domain does not exist.
- NODATA: Returns no data to inquiries about the domain’s existence.
- PASSTHRU: Packets from domains associated with this rule will be allowed to communicate with services inside your network.
- DROP: Packets from domains associated with this rule will receive no response. The data is simply dropped, and your network appears to be down or otherwise invisible from the attacker’s perspective.
- Cause: The reason the action was taken, can be one of two reasons:
- QNAME: The FQDN is listed in an RPZ threat list.
- IP: The IP address associated with the domain is known to host malicious attacks.
- Record: Contains the FQDN, or IP address that the client device attempted to reach.
- Targets: Details which Threat Intelligence list the Target is listed in.
- ID: This is a hash of the log line in the report. This is used for diagnostic purposes, and may on occasion be requested by ThreatSTOP Support.
The Device and ID columns are not displayed by default, but may be enabled through the Columns button:
Additionally the returned results can be exported in a CSV file by clicking on the Export to CSV button. This will compile the results into a Comma Separated Value (CSV) file that can be processed by most spreadsheet programs.
Individual Detail Report entries can be investigated using the Check IOC utility by clicking on the Domain Name, or IP address associated with the threat.
Email reporting for both DNS and IP firewalls is covered in our Email Reports article.