useful custom reports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

useful custom reports

L4 Transporter

Hey all,

I want to create some custom reports to get more useful information about what is going on in my network.

I would like to know - just informational - which reports do you use in your daily business?

Respectively which reports you consider as useful.

Until now, I created one report that shows me the denied packets for every last week.

Can you give me some more hints?

Thank you!

21 REPLIES 21

Cyber Elite
Cyber Elite

Here are three  reports that I always schedule to run every day. 

1) Reset report: I have a report that looks for the 'reset-client', 'reset-both', and 'reset-server' actions going from untrust to my dmz zone. This includes anything that reset likely due to a vulnerability or threat being identified. 

2) Risk Report: This report includes the widgets Risky Users, Botnet, Spyware Infected Hosts, and Top Spyware Threats.

3) Summary Reports: Daily PDF Reports which includes the following widgets; Bandwidth trent, Top Denied Sources, Top Secuirty Rules, Risk Trent, Top Destination Countries, Top Source Countries, Threat Tred, Top Destination Zones, Top Source Zones, Top Connections, Top Destinations, Top Sources, Top Denied Applications, Top Egress Interfaces, Top Denied Destinations, Top Ingress Interfaces. So most of the widgets really. 

 

 

@BPry

 

Thanks for your answer!

I have a question to your risk reports:

 

are these custom reports or predefined?

 

I don't find Risky Users

 

 

and my second question:

When I take a look into Spyware Infected Hosts, there are only external ip addresses. What do I need that information for?

 

 

and 3)

Where can I find Bandwidth trent, Risk Trent and Threat Tred?

@MPI-AE,

The reset report that I have listed at the top is the only custom report within that list. Risky Users can be found when you are building your Report Groups, it's one of the predefined reports available within that list. 

You'd want to keep the Spyware infected hosts so that you can see if an internal address shows up; I would also verify where those external IPs were going and who was communicating with them. Depending on the actual threat detected and in what direction the PA sees it going, you may see an external IP when it's one of your internal users infected. 

The Bandwidth trend, Risk trend, and threat trend are again predefined reports. You can add these when you are building the Report Group or if you create PDF Summary reports. 

@BPry

 

Hey BPry,

 

I built a report group and added the predefined report risky-users.

 

I am wondering now, why that report doesn't show up under Monitor -> Reports?

@MPI-AE,

Can't really answer that one I'm afraid, I don't have any idea why it wouldn't show up there. 

@BPry

 

I built a good overall report, thanks for your hints.

 

Still a last question to the risky users:

 

there are a lot of different risky users shown up in the report.

 

They have a risk of 4 or 5.

 

They are sorted by "Bytes"

 

Why are they risky? What am I supposed to do? What entries are important?

 

I'm confused.

@MPI-AE,

It generally takes the risk associated with the app-ids identified on that user's traffic. So if you haven't modified the app-id's associated risk then it's likely just displaying your most active users. 

@BPry

 

I have some more questions:

 

-The Spyware Infected Hosts, how does the firewall know that hosts are spyware affected, especially external hosts? But also internal hosts?

 

-URL Report:

Is it possible to create a custom url report that doesn't list the top blocked url's but the less blocked url's?

The problem is: I have a url report that lists the top 50 blocked url's. That report isn't really helpful because all url's shown there are web-advertisments, that are accessed over 1k times.

I would like to get url's that are accessed only a few times, maybe 1 or 2. Because most likely, that's an url that was accessed consciously by a user. So I can proactively unblock these url's. Do you know what I mean?

 

 

@MPI-AE,

Spyware Infected Hosts are generated by what the firewall sees through the Threat database. Specifically, if you run the following filter '( subtype eq spyware )' on the threat database you'll see what it's picking up on. In this case the 'Victim' is going to be what is considered a Infected Host. 

 

As for a URL report, your best bet there would be to simply ignore the whole web-advertisements category if it isn't something you are interested in seeing. For that I would likely recommend you create a custom report looking at the URL Log database, you would want to have the following in your Query Builder as to not display any of the web-advertisements category. 

not ( category eq web-advertisements )

@BPry

 

yeah that's a good idea.

 

 

Sorry, but another question comes into my mind:

 

In my report group that is sent every Sunday, there are included: botnet, Spyware Infected Hosts, Top denied applications, Top egress interfaces.

 

The problem is, these reports just show facts for the sunday.

 

Is there a possibilty to change that from sunday to the whole last calendar week?

 

 

@MPI-AE,

Since those reports are actually built into the firewall there isn't a way to modify them that I know of. That being said, all of the reports can be generated as a custom report that specifies the last 7 days so you have a full week.  


@MPI-AE wrote:

@BPry

 

I built a good overall report, thanks for your hints.

 

Still a last question to the risky users:

 

there are a lot of different risky users shown up in the report.

 

They have a risk of 4 or 5.

 

They are sorted by "Bytes"

 

Why are they risky? What am I supposed to do? What entries are important?

 

I'm confused.


 

IMO, the "risk" number is to be a guage not even so much a guide.

 

Hell, application "web-browsing" is a 4 and "FTP" is a 5.  I wouldn't necessarily base any report or security policy around a risk score.  

@Brandon_Wertz,

Risky users can be extremely helpful if you've taken the time to customize the application risk level specific to the company you are working for. At default value you are very much correct, the risk level is likely not a good indicator to actually use for anything. 

Agreed, my meaning was around the stock value of apps.  Again IMO, it's akin to a shiny object you can show to leadership.  Doesn't really mean you're more secure at a "3" with no security profiles than someone at a "5" who's running Threat/URL/WF services.

  • 7826 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!