Security services logs
César_S
Newbie ✭
Hello everyone.
I hope that everyone's doing well.
On the AppFlow report, I have a bunch of vírus or intrusions that were detected by my firewall.
Were can I find the IPs that got infected?
Because if i press the name of the vírus it just gives me a description of the virus.
Already tried to search for it, but no luck...
Best Answer
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
Hi @César_S AFAIK the AppFlow Report does not give you option to drill down. Maybe you could try to use the AppFlow Monitor, select the Tab Threats and show AllFlows, then you set a filter for the specific Threat and have the IP addresses listed at Initiator IPs.
Depending on the time of the incident the event might be already flushed out of the memory of the Appliance, for that scenario something external like Analytics or a SIEM is required.
--Michael@BWC
1
Answers
Hello Michael, it looks like I have no threats.
The snip that I've attached were blocked. So probably they won't show on the AppFlow Monitor.
@César_S if the AppFlow Monitor does not show you anything, the events are to far in the past or do you have to much going on that the local Memory for AppFlows on the Appliance is already overwritten. I don't know how muchs space/flows the Appliance can hold for that.
But if you need this information for compliance I highly recommend an AppFlow Agent (Analytics, NSM, GSM), an External Collector (e.g. ELK, etc) or have the events logged via Syslog.
--Michael@BWC
Is there a way for me to check the available memory?
@César_S I did a quick search in the TSR and was not able to gather any information about the available Memory für AppFlows, this might be a good question for @MasterRoshi et al.
--Michael@BWC
That would be really appreciate it.
By the way Michael, I found out that the AppFlow monitor works the opposite way, 1st I need to pick the Initiators IP that have threats, there's a "Threats" column there, then I'll be able to go into the Threats and see the threats for that IP.