Event logging of domains or of a category that has been blocked in a security report is a misconfiguration issue in the customers environment where valid DNS queries and traffic is overwhelming the reporting/logging system, resulting in a lot of noise. For more information, see Event Logging of a Domain or Category Blocked in a Security Report.
The Data Exfiltration, Malware, Command & Control, and Summary reports are not tied to your organization's custom whitelist and should not be reported as RPZ events. As such, they are reporting Threat Intelligence detections and exist independent of the DNS Firewall. If you have your DNS Threat policy set to "log, allow," these will continue to show up. To remedy this, only the Security Report should be used when interpreting DNS Firewall activity
The Security Report provides comprehensive security data about the malicious hits within your networks over a specific time period. The default report displays a bar chart that shows the distribution of malicious hits throughout your networks within a 24-hour time frame. It also lists detailed information about the respective threats at the bottom of the report.
At the top action bar, you can view the total number of Hits, Devices, Users, Networks, Threat Classes, and Policies in your infrastructure. Note that the total number for these fields stay the same regardless of the filtering criteria you have configured for the report.
To filter the report by specific criteria, select the applicable objects from the following drop-down menus:
- Policy: Active security policies.
- Threat Class: The threat intelligence feeds, such as Phishing, MalwareC2DGA, and others.
- Property: The nature of the threat. By default, the portal includes all threat properties.
- Network: Displays the IP addresses for all applicable networks and scopes.
- Threat Level: The threat level for the malicious hit. This can be High, Medium, or Low.
Only available objects are displayed in the filtering menus.
If a domain belonging to an Infoblox auto-generated custom list is also added to a user-created custom list, the threat-lookup api (iid_atp/lookup) will return the domain only in the user-created custom list.
To define a specific time frame for the report, you can move the pointer at either end of the bar chart, or select a time frame from the Show Last drop-down menu.
You can also get specific data associated with the malicious hits by clicking the link of the following from the top action bar: Hits, Devices, Users, Networks, Threat Classes, and Policies. When you click a link, the corresponding line charts overlaying the malicious hits are displayed. For example, when you click Devices, line charts representing each device will overlay the bar chart, giving you an insight into the devices that have triggered the malicious hits. This information can help you identify the top malicious devices within your networks so you can take appropriate corrective actions.
The Security Report includes the following specific types of reports available for viewing:
This page has no comments.