End users who sign in to the threatER Portal will first see Reports on the landing page. Reports provides a quick, graphical look at your system summaries and contain only metadata summarized from the detailed logs stored in Enforce. There shouldn't be compliance issues with the data contained within the cloud platform, as no specific data is contained within the Portal
Select Enforce > Reports to access the Reports tab. The Allowed / Blocked: Reason Summary report is the default view. There are two types of reports, Allowed / Blocked & Top 10, and each one has the functionality to schedule a report. All data in reports is displayed in your browser's local time zone.
Allowed / Blocked
There are four options that display information on allowed or blocked policies. The reports tab defaults to showing all connections made in the last 30 minutes on all policies and Enforcers. This data can be filtered based on various preset or custom timeframes, on a per-policy basis, or on a per-Enforcer basis.
Reason Summary
The 1st tab is the Reason Summary, which showcases the number of unique connections allowed or blocked by reason over a specified period. This includes country, ASN, lists (allow or block) and IP reputation (threat lists). Added together is the total connections in the time period specified in the drop-down.
Click into the bar line item to see the connection detail by reason. Get a unique count of each reason, an overview of the top performing connections by policy and track the reason count over time.
Category Summary
The Category Summary tab is related to the threat list, where each IP has an associate category and risk score. This information has been categorized by the threat list as a potential threat but is allowed or blocked based on the risk scores enabled at the policy level. These graphs are not based on an unique count, as IPs can appear in multiple categories.
For example, the Endpoint Exploits category in the below graph is the highest line item for the Blocked by Category chart. This indicates that the connection was blocked and in this specific threat category. End users will be able to view the types of threats that are coming in or being seen outside of the Network by searching for individual IPs in the IOC tab or through logs in the Enforcer.
The Allowed by Category will display connections that were allowed, even for connections where the IP appeared on a Threat List. There are two reasons why a threat IP would be on the Allowed List:
1. The IP is on the Allow List (IPs on Allow Lists supersede the Threat List)
2. The Risk Score is lower than the category threshold
We recommend looking at the stats for this graph, especially for Inbound policy, and consider lowering the risk thresholds for categories that are seeing a higher volume allowed. For categories that are more specific, like "Endpoint Exploits" or "Command and Control," admins can make adjustments to those categories under the inbound policy by adjusting the default setting from 90 and lowering the score to block more potential threats.
End users can also click into the bar graphs to see the connection detail by reason. A unique count of each reason can be selected to display an overview of the top performing connections by policy and track the reason count over time.
Top 10 Countries
The Top 10 Countries report displays the top 10 countries that were allowed or blocked by total unique connections.
These modals should be considered for blocking additional countries, especially if organizations aren't expecting traffic inbound from those locations.
Clicking on the slide of data will open the Connect Detail for the dashboard and display the Country and Count panel. Selecting additional countries will add that data to the graph on the right.
Top 10 ASNs
The Top 10 ASNs dashboard displays the top 10 ASNs that were allowed or blocked by total unique connections.
These modals should be considered for blocking additional ASNs on a per policy basis, especially if organizations aren't expecting traffic inbound from those ASNs.
Clicking on the slide of data will open the Connect Detail for the dashboard and display the ASN and Count panel. Selecting additional countries will add that data to the graph on the right.
Top 10
There are two options that display information on top 10 list on Threat categories. This data can be filtered based on various preset or custom timeframes or on a per-Enforcer basis.
Countries by Threat Category
The Top 10 Countries by Threat Category report displays the top 10 countries blocked due to specified threat category(s). Admins can narrow their search by date range and Enforcers, and select multiple threat categories at once for comparison.
The Threat Category with the highest count will be selected by default and its graph will display in the right-hand panel. To view a graph for additional Threat Categories, select the desired category(s) in the left-hand panel.
Each threat category graph will display a bar for the top 10 countries with connections that have been flagged with that threat category. You can scroll over each bar to view the number of connections, based on the timeframe and Enforcer selected from the filters at the top of the screen.
ASNs by Threat Category
The Top 10 ASNs by Threat Category report displays the top 10 ASNs blocked due to specified threat category(s). Admins can narrow their search by date range and Enforcers, and select multiple threat categories at once for comparison.
The Threat Category with the highest count will be selected by default and its graph will display in the right-hand panel. To view a graph for additional Threat Categories, select the desired category(s) in the left-hand panel.
Each threat category graph will display a bar for the top 10 ASNs with connections that have been flagged with that threat category. You can scroll over each bar to view the number of connections, based on the timeframe and Enforcer selected from the filters at the top of the screen.
Scheduling Reports
Reports can be scheduled by clicking on Scheduled > Create.
End users will be taken to the Scheduled Reports tab to create the report. Provide the following information in the Create Scheduled Report module (* indicates required field):
Field Name | Description |
Enabled | The default setting, keep the toggle to the right to enable the report |
Report* | The type of report |
Name* | The name of the report |
Delivery Email* | The email of the individual that should receive the report |
Description | Provide a brief summary of the report |
Policy (only available for Allow/Block reports) | All Policies is the default selection. An individual policy can be selected from the drop-down. |
Threat Categories* (only available for Top 10 reports) | Select the desired Threat Categories to include in the report |
Enforcer | All Enforcers is the default selection. An individual can be selected from the drop-down. |
Preset* |
The date range of the report. Options include: Yesterday - report will run daily at midnight and includes data from the previous 24 hours Last Week - report will run weekly at midnight on Sunday and includes data from the previous week Last Month - report will run monthly at midnight on the 1st of each month and includes data from the previous month Last 7 days - report will run daily at midnight and includes data from the previous 7 days. |
Time Zone | Preset to represent the local browser time zone |
Select Create to finalize and save the report.
The list of scheduled reports will be available in the reports chart and can be narrowed down by report type.
Comments
0 comments
Please sign in to leave a comment.