Been playing around SmartView to generate a customized view for an report to bring value to the business.
Right now just working with containers and infografic.
This is my result until now, and still working on it, changing the filters and what to look after.
I have been asking the questions of how many of our public hosts have been scanned by attackers which either been prevented or detected, and how many of these hosts have the attackers used advanced exploits against each hosts and again prevented or detected.
I am not sure if the advanced attacks view is configured the right way.
Not sure if I should exclude the SSL and Scanner and Web Server Enforcement Violations attempt but to my knowledge it is only scanners like Shodan or Nessus etc.
My query is:
Fieldname is Source (attackers ip)
Blade = IPS
Action = Prevent
Severity = Medium OR High OR Critical
Confidence Level = Medium OR High OR Critical
Protection type NOT Engine Settings
Type NOT Control
Attack name NOT "SSL Enforcement Violation" NOT "Scanner Enforcement Violation" NOT "Web Server Enforcement Violation"
Destination: "ip address a.b.d.*"
What are your though about this view? Would it provide any value for you, or what kind of questions do you ask to get intelligence from your logs?
Which answers are you asking for while trying to extract threat intelligence?
Any suggestions or ideas?
Note! I can recommend this webinar Security Visibility Best Practices with SmartEvent