useful custom reports

Reply
Highlighted
L4 Transporter

useful custom reports

Hey all,

I want to create some custom reports to get more useful information about what is going on in my network.

I would like to know - just informational - which reports do you use in your daily business?

Respectively which reports you consider as useful.

Until now, I created one report that shows me the denied packets for every last week.

Can you give me some more hints?

Thank you!

Highlighted
Cyber Elite

Here are three  reports that I always schedule to run every day. 

1) Reset report: I have a report that looks for the 'reset-client', 'reset-both', and 'reset-server' actions going from untrust to my dmz zone. This includes anything that reset likely due to a vulnerability or threat being identified. 

2) Risk Report: This report includes the widgets Risky Users, Botnet, Spyware Infected Hosts, and Top Spyware Threats.

3) Summary Reports: Daily PDF Reports which includes the following widgets; Bandwidth trent, Top Denied Sources, Top Secuirty Rules, Risk Trent, Top Destination Countries, Top Source Countries, Threat Tred, Top Destination Zones, Top Source Zones, Top Connections, Top Destinations, Top Sources, Top Denied Applications, Top Egress Interfaces, Top Denied Destinations, Top Ingress Interfaces. So most of the widgets really. 

 

 

Highlighted
L4 Transporter

@BPry

 

Thanks for your answer!

I have a question to your risk reports:

 

are these custom reports or predefined?

 

I don't find Risky Users

 

 

and my second question:

When I take a look into Spyware Infected Hosts, there are only external ip addresses. What do I need that information for?

 

 

and 3)

Where can I find Bandwidth trent, Risk Trent and Threat Tred?

Highlighted
Cyber Elite

@MPI-AE,

The reset report that I have listed at the top is the only custom report within that list. Risky Users can be found when you are building your Report Groups, it's one of the predefined reports available within that list. 

You'd want to keep the Spyware infected hosts so that you can see if an internal address shows up; I would also verify where those external IPs were going and who was communicating with them. Depending on the actual threat detected and in what direction the PA sees it going, you may see an external IP when it's one of your internal users infected. 

The Bandwidth trend, Risk trend, and threat trend are again predefined reports. You can add these when you are building the Report Group or if you create PDF Summary reports. 

Highlighted
L4 Transporter

@BPry

 

Hey BPry,

 

I built a report group and added the predefined report risky-users.

 

I am wondering now, why that report doesn't show up under Monitor -> Reports?

Highlighted
Cyber Elite

@MPI-AE,

Can't really answer that one I'm afraid, I don't have any idea why it wouldn't show up there. 

Highlighted
L4 Transporter

@BPry

 

I built a good overall report, thanks for your hints.

 

Still a last question to the risky users:

 

there are a lot of different risky users shown up in the report.

 

They have a risk of 4 or 5.

 

They are sorted by "Bytes"

 

Why are they risky? What am I supposed to do? What entries are important?

 

I'm confused.

Highlighted
Cyber Elite

@MPI-AE,

It generally takes the risk associated with the app-ids identified on that user's traffic. So if you haven't modified the app-id's associated risk then it's likely just displaying your most active users. 

Highlighted
L4 Transporter

@BPry

 

I have some more questions:

 

-The Spyware Infected Hosts, how does the firewall know that hosts are spyware affected, especially external hosts? But also internal hosts?

 

-URL Report:

Is it possible to create a custom url report that doesn't list the top blocked url's but the less blocked url's?

The problem is: I have a url report that lists the top 50 blocked url's. That report isn't really helpful because all url's shown there are web-advertisments, that are accessed over 1k times.

I would like to get url's that are accessed only a few times, maybe 1 or 2. Because most likely, that's an url that was accessed consciously by a user. So I can proactively unblock these url's. Do you know what I mean?

 

 

Highlighted
Cyber Elite

@MPI-AE,

Spyware Infected Hosts are generated by what the firewall sees through the Threat database. Specifically, if you run the following filter '( subtype eq spyware )' on the threat database you'll see what it's picking up on. In this case the 'Victim' is going to be what is considered a Infected Host. 

 

As for a URL report, your best bet there would be to simply ignore the whole web-advertisements category if it isn't something you are interested in seeing. For that I would likely recommend you create a custom report looking at the URL Log database, you would want to have the following in your Query Builder as to not display any of the web-advertisements category. 

not ( category eq web-advertisements )
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!