What do Suspicious Activity Alerts mean?

Overview

NG Firewall has many default alerts configured. They are located under Config > Events > Alerts.

Two of the default alerts are labeled as "Suspicious Activity":

C_N_Ev_-_suspicious_activity_rules.png

The default configuration for these alerts is set to notify you whenever the number of sessions from a single IP, to the specified protocol, exceeds a given threshold. In this case that threshold is 20 sessions over 60 seconds. 

NOTE: These alerts will be triggered even if the NG Firewall blocked each session. 

suspicious_ssh.png

The only reason that one IP would ever hit that threshold is if they are attempting some sort of brute-force entry. 

 

Was the traffic blocked?

Now you need to see if the session was allowed or if it was blocked. If you are currently logging blocked traffic, then you can look for that blocked session in the reports.

Enable Logging of Blocked Sessions

To determine if you are logging blocked traffic, go to Config > Network > Advanced > Options:

C_N_A_O_-_log_blocked.png

If you were already logging blocked sessions, you may be able to see the suspicious activity in the reports. If not, enabling it now will not help.

However, if you take the information provided by the alert that was sent to you, you can look in the reports to see what happened with it. If it was blocked and you are not logging blocked sessions, then you won't be able to find anything. (Which is GREAT!)

 

How to read Alert data

Here is how you can see what happened with that session.

In the alert below you will find a trove of information.

suspicious_alert.png

1. This is the destination IP of the session. It is the device that they were attempting to connect to. In reports this will be the "Server".

2. This is the IP of the device that was attempting to connect into your network. In reports, this will be "Client". 

3. This is the exact time that the number of sessions reached the threshold to trigger the alert. 

 

Taking the information from the alert, you can look into the reports for that date, time, and/or IP addresses. 

 

 

 

Follow
Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Powered by Zendesk