Using ThreatSTOP Roaming's reporting features
The Roaming Reports have the same features and designed as DNS Firewall Reports. You can refer to their documentation for the list of reports and settings. The only difference is how the client is identified. While DNS Firewall reports identify the client by the IP address, which is typically an internal IP address, Roaming reports identify the client by a system setting, as the IP address is often not useful to identify it (such as the IP address of a public network the device was connected to).
Devices are identified by a Hardware ID. That ID is configured in the Roaming device settings and can be:
- the hostname of the client device.
- its serial number (Windows: wmic bios get serialnumber; OSX: system_profiler SPHardwareDataType).
- its hardware UUID (Windows: wmic csproduct get UUID; OSX: system_profiler SPHardwareDataType).
The ID is used in place of the client IP address in the filter settings and in the following reports:
- Roaming Overview. The ID is used to identify the unique number of machines.
- Hardware Summary. This is same report as the DNS Client IP summary.
- Combined Summary. The ID is used to identify the device that made the DNS lookups.
- Detailed report. The ID is used in place of the device IP address.