{"id":1354,"date":"2018-07-11T21:25:46","date_gmt":"2018-07-11T21:25:46","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=1354"},"modified":"2020-05-06T10:27:05","modified_gmt":"2020-05-06T17:27:05","slug":"top-security-report-6-threat-protection-top-rules-by-source","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/top-security-report-6-threat-protection-top-rules-by-source\/","title":{"rendered":"Top Security Report #6 – Threat Protection – Top Rules by Source"},"content":{"rendered":"

This blog discusses the report #6 in a series of seven top security reports that can help you defend against bad actors.<\/p>\n

Here are the previous parts:\u00a0part 1<\/a>, part 2<\/a>\u00a0<\/p>\n

Infoblox\u00a0Out-of-the-Box Report Threat Protection – Top Rules by Source<\/h2>\n

This report lists the top source IP addresses that trip each threat rule as identified through ADP threat intelligence. \u00a0For\u00a0network teams<\/em><\/strong>, this report gives visibility to which devices on the network are doing bad things or impacting network performance, so you can take corrective action like shutting-off the port or removing the device from the network.\u00a0 For\u00a0security teams<\/em><\/strong>, it provides visibility when there is trouble on the network, so the admin can intervene with the system manager, initiate a virus scan, or pursue a variety of other actions.\u00a0 It also enables admins to tune the threat rule thresholds for which traffic they want to allow or block.\u00a0 A typical security use case is when an admin suspects that a client device is infected with malware, and they need to conduct a forensic investigation to determine what the malware is doing within the DNS infrastructure and determine the malware attack methodology and frequency.<\/p>\n\n\n\n\n\n\n\n\n\n
Top Report #6: Threat Protection<\/strong><\/p>\n

Top Rules by Source<\/strong><\/td>\n<\/tr>\n

Service Area<\/strong><\/td>\nInfrastructure Protection<\/td>\n<\/tr>\n
Purpose<\/strong><\/td>\nLists the top source IPs hitting each threat rule<\/td>\n<\/tr>\n
Primary User<\/strong><\/td>\nNetwork & Security Admins<\/td>\n<\/tr>\n
Importance<\/strong><\/td>\nIdentifies clients that are attacking the server the most & the rules they trigger, & enables admins to tune rule thresholds better<\/td>\n<\/tr>\n
Use Case<\/strong><\/td>\nA security admin knows a client is infected by malware, but to drill deeper into malware forensics, this report shows the malware attack methodologies and frequencies<\/td>\n<\/tr>\n
Available<\/strong><\/td>\nOut-of-the-box & requires Advanced Data Protection (ADP)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

This report is accessed through the security dashboard and requires ADP.\u00a0 It includes filters for time, top number of rules, a counter, members, source IP address, rule names, source port and viewing options by bar chart, table or both.\u00a0 The report then displays the source IP, the number of logged events associated to that IP, the top security rules by name that were\u00a0violated, and when they last tripped those rules.\u00a0 This provides the visibility and forensic capability needed to identify bad actors, see what they\u2019re doing, the security rules they\u2019re breaking and the impacts they\u2019ve had on the network, so the admin can modify the rules and take quick, corrective action.<\/p>\n

\"Security<\/p>\n

Here are the seven (7) security reports that can give you an edge over the bad actors.<\/p>\n