Skip to content

IP Attack Map

Overview

The IP Attack Map application comprises of 6 main components that sums up to render a pool of data utilized for detailed security analysis. The IP attack map displays data pertaining to the security zones of the Crystal Eye network through the Banned IPs Table, Real Time Attack Tracker, Protocol Traffic Size Indicator, Device Traffic Size Indicator, and Real Time IDPS Alerts.

The data gathered becomes the basic platform facilitating in-depth security analysis. The attack is visually depicted on the world map clearly specifying the origin and the destination of the attack. The visual depiction of the attack is also colour coded to specify the protocol that was used in the attack. All this is simulated on the world map and has a parallel database called the Alert Report which further provides the attack details such as the Timestamp, Source IP, Destination IP, Country Name, Region Name etc.

In the screenshot below, an attack is depicted in the world map specifying its origins in United States and was targeted towards a network secured by the Crystal Eye XDR in Western Australia (WA). The attack is color coded as green which means HTTPS protocol was used. The visual depiction on the world map can also be co-related with the corresponding Real Time IDPS Alert Report below the map where the attack details are mentioned.

crystal-eye-xdr-ip-attack-map

Every attack that is detected and simulated in the IP attack map is triggered by pre-configured IDPS rules updated by Red Piranha’s Security Operations Team (RP Secops). These IDPS rules can be modified and the alert triggered by it can be escalated to Red Piranha’s security operations team if there is a requirement to review them.

Note

Crystal Eye XDR administrators can have access to all features of the IP Attack Map section from the Security Dashboard as well. However, the IP Attack Map PDF report can only be downloaded from the IP Attack Map application.

Installation

The IP Attack Map application is installed by default and can be accessed from the left-hand navigation panel.

Left-hand Navigation Panel > Reports > IP Attack Map Application crystal-eye-xdr-navigation-IP-Attack-map

Banned IPs Table

crystal-eye-xdr-banned-ip-table

The Crystal Eye XDR appliance bans any IP address that exceeds the login attempts threshold while accessing the CE XDR user interface. Once the IP address is banned the details are displayed in the Banned IPs Table with the Timestamp, Country Name and Region Name. If the CE XDR administrator wishes to allow or whitelist a banned IP it can be done with the click of a button.

The forcefield feature plays the role of safeguarding the CE XDR itself by blocking IPs that exceeds the login attempt threshold. The PDF report having information about the list of IPs that has been blocked by the Forcefield application can be dowloaded (Know more about the PDF report here).

Note

The Banned IPs can be whitelisted or allowed from the IP attack map in the security dashboard. A customized report of these IPs can be downloaded from the Log section of the Forcefield application.

How to Whitelist or Allow a Banned IP Address?

Step 1: In the IP Attack Map application page, click the Allow button in the Banned IPs Table. crystal-eye-banned-ip-address-whitlisting-forcefield

Real-Time Attack Tracker

The Real-time Attack Tracker displays a well summarized simulation of the incoming attacks on a world map. It shows the origins of the attack and specifies the target. The graphical attack simulations are Real-time IDPS alerts that have been triggered by pre-configured rules. The protocol used during the attack can be detected as they are color coded (example: red is FTP, Yellow is TELNET etc.). Some of the attack protocols that are detected and displayed here are FTP, SSH, TELNET, EMAIL, WHOIS, DNS, HTTP, HTTPS, SQL, SNMP, SMB, AUTH, RDP, DoS, and ICMP. If the attack protocols are different from the ones mentioned above, then it would be recorded under ‘others’.

How to Interpret the Data Shown in the Real-Time Attack Tracker?

Step 1: In the IP Attack Map application page, observe an attack simulated in the world map (the attack observed in the screenshot below is circled in yellow). crystal-eye-xdr-interpreting-real-time-attack-tracker1

Step 2: Now observe the corresponding entry of the attack in the alert table. crystal-eye-xdr-interpreting-real-time-attack-tracker2

Note

In the above screenshot, the alert section shows the time and date of the attack, the origin, the destination IP of the attack, country of origin, region name, description, action, rule type, port map and severity.

Protocol Traffic Size Indicator

The Protocol Traffic Size Indicator shows the size of the data transferred using a particular protocol. The Crystal Eye XDR detects the protocol and automatically calculates the traffic size transferred over a period of time and displays it in a tabular format. The traffic size is measured in Megabytes (MB).

Where to Locate the Protocol Traffic Size Indicator in the IP Attack Map application?

Step 1: In the IP Attack Map application page, you will find the Protocol Traffic Size Indicator in the top-right corner. crystal-eye-xdr-protocol-traffic-size-indicator

Note

Apart from the IP Attack Map application, the top traffic size with respect to the protocol used can also be viewed in the IP Attack Map section under Security Dashboard and Top Protocols section of the Protocol Detail Report application.

Device Traffic Size Indicator

The Device Traffic Size Indicator shows the device name (as mapped with the CE XDR) and the amount of data that it had received and sent over a period of time. The Device Traffic Size is measured in Megabytes (MB).

How to Locate the Device Traffic Size Indicator in the IP Attack Map application?

Step 1: In the IP Attack Map application page, you will find the Device Traffic Size Indicator in the right (see screenshot below). crystal-eye-xdr-device-traffic-size-indicator

Note

Apart from the IP Attack Map application, the top traffic size transferred and received by devices in the CE XDR network can also be viewed in the Top Network IPs graph of the Network Activity Dashboard and the Security Dashboard.

Real-time IDPS Alerts

The Real Time IDPS Alerts section displays attack specific data also known as IDPS alerts generated on a real-time basis. These attacks and the protocols involved are visually depicted in the Real Time Attack Tracker. When an attack is initiated, the origin of the attack and the target CE XDR network is visually depicted in the Real Time Attack Tracker. The Crystal Eye XDR administrator can also view elaborated details of the attack such as the source IP, destination IP, country (from where the attack originated), region name, description of the attack, severity etc in the Alert Report.

crystal-eye-xdr-ip-alert-report

The above screenshot depicts that there was an attack that originated from Russia and was targeted towards a network secured with Crystal Eye XDR in Western Australia (WA). The attack is denoted in the map and its corresponding details are also mentioned in the Alert Report.

Upon clicking a particular IDPS alert the Crystal Eye administrator can view alert details, escalate an attack alert to Red Piranha’s Security Operation’s Team, and view the IDPS rules that triggered the alert.

IDPS Alert Analysis

The Crystal Eye XDR displays various real-time alerts that can be viewed and analysed. The analysis process includes monitoring the IDPS Alerts and the rules that trigger these alerts. The real-time alert pops-up in the alerts report and is triggered by rules which can be converted to pass, drop, or reject. If a rule triggers too many false positives, then the Crystal Eye XDR administrator can also disable those rules as a part of the rules tuning process. Alerts can also be escalated to Red Piranha’s security operations team (RP Secops).

We have discussed various ways to analyse IDPS alerts below:

  • How to view IDPS alert details and the rules that triggers the IDPS alert?
  • How to convert the IDPS rules to Drop, Pass or Alert after it triggers an attack alert?
  • How to disable a particular IDPS rule that triggered an IDPS alert?
  • How to escalate an attack alert to Red Piranha’s security operations team for analysis?

How to view IDPS alert details and the rules that triggers the IDPS alert?

Step 1: In the Security Dashboard, click any of the IDPS alerts in the Alert Report section. crystal-eye-xdr-disable-idps-rule-security-dashboard1

Step 2: You will now see a detailed report of the IDPS alert details and the IDPS rule details that triggered the alert. crystal-eye-xdr-ruleset-action-idps-report2

How to convert the IDPS rules to Drop, Pass or Alert after it triggers an attack alert?

The IDPS rules plays a vital role in stopping detected incidents that occur in the Crystal Eye XDR network. However, the characteristics of these specially created rules can be changed.

These rules can be converted to Pass, Drop and Reject further defining the nature of the rules as discussed below.

Convert to Pass: Post conversion of the rule to Pass, if a signature matches, the packets are not scanned anymore, and the scanning process is skipped to the end of all rules for the current packet)

Convert to Drop: Post conversion of the rule to Drop, if a signature matches then the packet will be stopped and will not be allowed to move further into the network.

Convert to Reject: Post conversion of the rule to Reject, if a signature matches then the packet will not go through, and both the sender and receiver will receive a reject packet.

Step 1: In the Security Dashboard, click an IDPS alert in the Alert Report. crystal-eye-xdr-disable-idps-rule-security-dashboard1

Step 2: You will now see a detailed report of the IDPS alert details and the IDPS rule details that triggered the alert. crystal-eye-xdr-ruleset-action-idps-report2

Step 3: Click the Change Rules Actions button in the IDPS alert details pop-up. crystal-eye-xdr-ruleset-action-idps-report3

Step 4: You will now see the Change Rule Actions pop-up. Select Alert, Pass or Reject from the default_ruleset dropdown and click the Update button. crystal-eye-xdr-ruleset-action-idps-report4

How to disable a particular IDPS rule that triggered an IDPS alert?

Crystal Eye XDR administrators might come across situations where the IDPS rule that triggered the alert are be disabled. In this case, the IDPS alert must be clicked and then the disable IDPS alert button must be clicked.

Step 1: In the Security Dashboard page, click the IDPS alert for which the IDPS rule needs to be disabled. crystal-eye-xdr-disable-idps-rule-security-dashboard1

Step 2: You will now see the Alert Details and the Rule Details. Read the details and then click the Disable button. crystal-eye-xdr-disable-idps-rule-security-dashboard2

How to escalate an attack alert to Red Piranha’s security operations team for analysis from the IP Attack Map application?

All attack alerts can be escalated to the RP Secops team after Incident Response Services application is installed. Escalations will not be processed until the Incident Response Services application is installed and configured. The details of the alerts that are escalated can also be viewed and downloaded in a PDF/JSON format from the Escalated Alerts dashboard.

Note

If the Incident Response Services application is not installed and configured then the following error message will be displayed.

Step 1: In the Security Dashboard page, click the IDPS alert that needs to be escalated. crystal-eye-xdr-ruleset-action-idps-report1

Note

Before you initiate the process of alert escalation to Red Piranha’s SOC team make sure that the Incident Response Services application is installed and configured. Click here to know how to configure the Incident Response Services application.

Step 2: You will now see the Alert Details and the Rule Details. Read the details and then click the Escalate button. crystal-eye-xdr-attack-escalation2

Step 3: You will now see a Comment Box. Add the comment and click the Submit button. crystal-eye-xdr-attack-escalation3

IP Attack Map PDF

A Crystal Eye administrator can download IP Attack Reports covering various parameters related to security analysis. The key components of this report are Protocol Traffic Size Indicator, Device Traffic Size Indicator and the Alert Report.

The Protocol Traffic Size Indicator (labelled as Protocol Details in the IP Attack Map PDF Report) is also mentioned in the IP Attack Map application. This can be understood with the screenshot below. The IP Attack Map PDF Report is on the left and the IP Attack Map application GUI is in the right. crystal-eye-xdr-ip-attack-map-pdf1

The Device Traffic Size Indicator (labelled as Device Details in the IP Attack Map PDF Report) is also mentioned in the IP Attack Map application. This can be understood with the screenshot below. The IP Attack Map PDF Report is on the left and the IP Attack Map application GUI is on the right. crystal-eye-xdr-ip-attack-map-pdf2

The Alerts in the PDF Report is also mentioned in the IP Attack Map application. This can be understood with the screenshot below. The IP Attack Map PDF Report is below and the IP Attack Map application GUI is on the top. crystal-eye-xdr-ip-attack-map-pdf3