CH-9-SMS Events and Reports.pdf

Full Transcript

Lesson 9: SMS Events and Reports Lesson 9: SMS Events and Reports Lesson Objectives: After completing this lesson, participants will be able to: Navigate through the SMS Events and Reporting Tabs Do queries on the Events Tab Save queries on the Events Tab Create and Run Reports Schedule Reports SMS Event Management Query Event Panes There are three pars to Query Events: Event Query Panes – For setting up event query data. Anything chosen in this section will control what is shown to the user when the “Refresh” button is selected. There are multiple query panes, criteria on these panes are “AND”ed together so make sure to hit “Reset” before running additional queries. Event Time Range Pane – For choosing what time period to view events for. Real-time, Relative Time (e.g. Last Day), Absolute Time (Choose a start time and end time.) Event Query Results – Once a time range and query are chosen, the event results show up here. You may interact with each event listing and do things directly from the event listing, like search on specific values, aggregate column values, create traffic management filters, create exceptions and other things. Note: User permissions will also have an impact on the results. © 2022 Trend Micro Inc. Education 135 Lesson 9: SMS Events and Reports Filter Help 136 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports F2 Information SMS Events Real-time — Displays entries as they occur on the system. This option displays data by refreshing the screen. It calculates the refresh rate based on the time it takes to run the query and display the results. © 2022 Trend Micro Inc. Education 137 Lesson 9: SMS Events and Reports Column Aggregation Aggregation allows collapsed view with count of entries. Column Filtering Right click a column. Search by Filter Text Click the magnifying glass to search filter by text. 138 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports Right Clicking on an Event Copy or Export event data Details Packet Trace Add event comment (searchable) Execute Responder Policy Create Named Resource Create a Traffic Management Filter Create Response Create an Exception Event Comment Display Packet Trace (if available) Profile – Edit Filter Display Event dialog box Based on src/dst IP address Table Properties - Order / hide column Sort order, aggregation © 2022 Trend Micro Inc. Education 139 Lesson 9: SMS Events and Reports Event Details Whois lookup requires Internet access from the SMS. Time Hit Count Severity Comment Source / Destination Address Source / Destination Port Geo-Tag ThreatLinQ Information Type (Block or Permit) Network Event # Global filter hits Copy Details to Clipboard - Reuse in other applications Edit a Filter Directly from an Event The edit button allows you to edit the filter. You can override the “category” settings and establish your own action. Note the “Details” tab, to retrieve the specifics on this filter. You can also create an Exception and Traffic Management filter, offering a convenient way to silence or block a repeating incident. 140 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports Note: This functionality will not work if the SMS cannot determine which profile to edit, you may need to redistribute your profile, if you had taken the IPS out of SMS management since the event was generated and not pushed a profile since. View Packet Traces SMS will decode the packet trace from the inspection device: Note: If Packet Trace set as a Filter Action Set You may also save the packet capture as a standard PCAP file for viewing in an external program. SMS only grabs the Packet Trace from the device when requested. It is not saved in the SMS database. SMS Event Integration: Configuring Syslog Admin Tab > Server Properties > Syslog Choose a saved query (from event viewer) to use as a filter for Syslog forwarding. © 2022 Trend Micro Inc. Education 141 Lesson 9: SMS Events and Reports SMS Reports Report Types Inspection Generated on instances of all attack filters, destinations, and sources Provide information about the amount of all peer-to-peer traffic on your network Reputation Generated on instances of all Reputation destinations, events and sources Rate Limits Reporting the percentage of used bandwidth in a pipeline of traffic for rate limit action sets Device Traffic Reporting statistical changes in network traffic patterns by device Advanced DDoS 142 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports Provides information about detected and blocked DDoS attacks against network, including SYN floods, Established Connection floods, and Connections Per Second (CPS) floods Executive Reports Allows an overview report combining Security, Application, Reputation Traffic Analysis Establish baseline traffic to identify unusual patterns using sFlow Saved Reports All Schedules Lists all existing report schedules Creation Process Process for creating Reports Start with a report template Customize the report template by modifying the report criteria Run the report to verify results Save the report Create a schedule and specify distribution, permissions and remote export options Report Customization includes Segment Group Device Action Type Category © 2022 Trend Micro Inc. Education 143 Lesson 9: SMS Events and Reports Severity Date Range Chart Type Other specific settings depending on the type of report - Criteria differs based on the report template Report Options Define the chart type. 144 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports Generate Report Click Run to generate the report. Scheduling a Report Once a report is saved, you can schedule the report to run periodically, such as every day at midnight, and to export the results. Results can be emailed or posted to the SMS web server, in either HTML, CSV, PDF or XML format. Additionally, reports can be pushed to an NFS or SMB share. Once a report is saved, you can schedule the report Scheduling a report - Name Recurrence Pattern End Date Permissions (Optional) Remote Export (Optional) © 2022 Trend Micro Inc. Education 145 Lesson 9: SMS Events and Reports Export Reports Select the options for exporting the report. 146 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports View Saved Reports If your SMS is setup for authentication (Require Login for Web Access under Edit > Preferences) Log in or, select “Log In” on the SMS web page to authenticate with the SMS. Any user who creates the report can view their own reports. Specific permissions for HTTP access to Reports can be applied when creating a schedule All anonymous users (even unauthenticated) can view reports All SMS users can view reports Users with super-user privilege can see all reports, regardless of the individual permissions chosen for the report. If distributing reports via email, NFS or SMB, then these permissions do not apply. Use Unix or Windows Permissions to keep file shares locked down. Only send Emails to specific users who need the reports. Report Example Download Options: HTML PDF CSV XML DOCX XLS © 2022 Trend Micro Inc. Education 147 Lesson 9: SMS Events and Reports Executive Report SMS Web Dashboard The SMS Web Dashboard displays important information for network monitoring. It allows you the ability to monitor geographic locations of an attack on a map. The SMS Web Dashboard alerts you 148 © 2022 Trend Micro Inc. Education Lesson 9: SMS Events and Reports when there is an issue on your network. When you need to take action, you can drill down quickly to view the details of an alert. The SMS Web Dashboard is configured with several widgets. You can customize the existing widgets or add additional widgets to display the information that you need to monitor. By default, the dashboard contains the following widgets: Top Attack Sources, Top Filters, and Events Blocked Rate. Open a browser to https:///d/Dashboard to access. Hands-on Labs Lab 9: SMS Events and Reports Estimated time to complete this lab: 35 minutes © 2022 Trend Micro Inc. Education 149 Lesson 9: SMS Events and Reports 150 © 2022 Trend Micro Inc. Education