Network Monitoring

In the Reports Portal, select Repository > Standard Content > Foundation > Network Monitoring.

The traffic exchanged between devices and servers tells you a lot about your network. By monitoring network traffic, you can identify cyber attacks and network events that could affect your enterprise. For example, malicious users might find a way to intercept communications to generate a man-inthe-middle attack or change the configuration of devices to gain unauthorized access. In both cases, the attack is the beginning of further intrusions. Also, a system infected by malware can be instructed generate a large volume of domains, thus causing increased traffic.

To monitor network activity, use the following dashboards and reports:

Dashboards Reports

DGA Overview

DoS Activity

Email Attacks

IDS Events Overview

Man in the Middle Attacks

Reconnaissance Activity

SSH Attacks

Traffic Anomaly Overview

VPN Activities Overview

Exploit Attempts Detected by IDS

Network Device Configuration Changes

DGA Overview

Helps you watch for domain generation algorithms (DGAs). DGAs make it easier for adversaries to introduce malware to your environment.

Charts:

  • Affected IPs

  • Suspicious Domains Generated

  • Affected IPs by Bytes Out

  • DGA Activity Relationship

  • Events Table

Filters:

  • Affected IP

  • Suspicious IP

  • DGA Domains

  • Query Type

DoS Activity

Provides charts and a table for you to identify denial-of-service events. You can view the number of events per day, as well as the top source and destination addresses.

This dashboard also is available in the Denial of Service category of the Cloud reports.

Email Attacks

Provides charts and a table that describe the email attacks detected in your enterprise. You can view the top events or target users, as well as the destination and source addresses.

Exploit Attempts Detected by IDS

Shows the top 10 exploit attempts reported by the intrusion detection systems (IDS) in your enterprise. In the table, you can sort the events by count or severity.

IDS Events Overview

Helps you identify events generated by Intrusion Detection Systems.

Charts:

  • Attacker IPs

  • Targeted IPs

  • Distribution by Category Technique

  • Events Table

Filters:

  • Device Vendor, Product, and Signature ID

  • IDS Type

  • Category Technique

Man in the Middle Attacks

Provides charts and a table to help you catch potential man-in-the-middle (MitM) attacks. You can view events over time, by source and destination address including MAC addresses, and the top MitM events.

During a MitM attack, the malicious user intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two.

Network Device Configuration Changes

Reports the top 10 devices whose configurations have changed, as well as the top 10 events causing configuration changes.

Reconnaissance Activity

Helps you watch for reconnaissance activity, which occurs when attackers are collecting information about your system in order to find vulnerabilities for future attacks.

Charts:

  • Reconnaissance Events

  • Targeted Users

  • Targeted IPs

  • Target Ports

  • Category Technique

  • Source IPs

  • Events Table

Special Views:

  • Source IP-Target IP Relationships serves as a scatter chart showing the relationship between source and target IPs.

  • Reconnaissance Activity Distribution provides a distribution map displaying reconnaissance activity.

Filters:

  • Device Vendor and Device Product

  • Targeted Users

  • Transport Protocol

  • Category Technique

  • Agent Severity

Traffic Anomaly Overview

Helps you identify anomalies in network traffic.

Charts:

  • Anomalies Detected

  • Targeted Ports

  • Source IPs

  • Targeted IPs

  • Events Table

Special Views:

  • Source IP- Target IP Relationship which provides a scatter chart displaying the relationship between source and target IPs.

  • Traffic Anomaly Distribution which provides a distribution map displaying traffic anomalies.

  • Traffic by Volume, which provides a line chart displaying traffic volume over time.

Filters:

  • Device Vendors and Products

  • Anomaly Type

  • Application Protocol

  • Transport Protocol

  • Category Significance

SSH Attacks

Displays an overview of SSH protocol usage so that you can monitor threats and see vulnerabilities in your environment.

Charts

  • Type of SSH Attacks

  • Top Targeted Users

  • Top Targeted IPs

  • SSH Activity Relationship

  • Events Table

Filters:

  • Device Vendor, Product, and Class ID

  • Source User

  • Category Technique

  • Category Significance

  • Agent Severity

Note: The Events Table chart for the SSH Attacks Activity Overview populates using baseEventCount received from the connectors.

VPN Activities Overview

Provides charts and a table for you to monitor VPN activity, such as the top users who access the VPN. You can view the VPN activities per day, as well as review the top source and destination addresses.