by Josef Weiss
October 22, 2015
Monitoring, profiling, and analyzing host alerts within the network can assist in determining if problems exist, policies should be updated, or abnormal activity is present. Systems and users identified by the Daily_Host_Alert LCE event are presented to the analyst to provide information on what devices and users are logging in and when. This report can assist organizations to understand when connections to the network are most likely to occur, making it easier to spot and track anomalies for devices or user accounts.
The LCE event Daily_Host_Alert generates, once per day, an alert the first time an event from a local host is seen, such as a DNS lookup or LCE client connect. For systems that are always on, such as servers, a spike around midnight will be detected. Other computers may start out their day at various times.
Passively detected new hosts that have been identified by the PVS New_Host_Alert and LCE New_MAC event are also reported. The New_MAC event records the first time a new MAC address is ever seen on the network. The New_Host_Alert event records the first time a new IP address is ever passively detected. These events are generated for any new host seen on the network, whereas the Daily_Host_Alert event is only generated for hosts in the “include-network” range. The benefit is being able to report on newly detected MAC addresses, anywhere, even if the host is outside the organization’s defined range.
This report can be used to look for anomalies such as unknown systems or users popping up, or unexpected activity blackouts from known systems.
Note that this report might be very long (hundreds of pages), depending on the number of systems and users on the network. Consider modifying the report definition and filtering on an asset to produce a more specific and more manageable report.
The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection.
The report requirements are:
- SecurityCenter 4.8.2
- LCE 4.4.1
- PVS 4.4.0
SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. PVS provides deep packet inspection to continuously discover vulnerabilities and Indicators of Compromise (IOC) traveling the wire. LCE correlates real-time events, such as DNS queries, and then performs analysis to discover vulnerabilities and IOC. LCE also has the capability to discover users, operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and other critical infrastructure. SecurityCenter CV allows for the most comprehensive and integrated view of network health.
The report contains the following chapters:
- Executive Summary - This chapter presents a line graph of Daily_Host_Alert events by time for the last 5 days and a bar chart displaying host alerts by network. Monitoring daily host alerts by network assists in establishing baselines. Anomalies can be analyzed and escalated to the proper administrators.
- Daily Host Alerts: Hosts (Last 5 Days) - This chapter presents a table of all hosts associated with at least one Daily_Host_Alert event in the last 5 days. Verify that all hosts in this list are authorized to access the network.
- Daily Host Alerts: Users (Last 5 Days) - This chapter presents a table of all users associated with at least one Daily_Host_Alert event in the last 5 days. Verify that all users in this list are authorized to access the network. Profiling and analyzing these alerts can assist in determining if problems exist or policies should be updated.
- New Hosts and Users Passively Discovered (Last 5 Days) - This appendix presents tables of new hosts and new users discovered in the last 5 days. These tables can be used to correlate discovered hosts and users with Daily_Host_Alert events.