Threats
The Threats page displays a summarized list of sessions whose overall content and alerts have been assessed and given a threat score. The threat score given to the TCP sessions is based on severity and confidence of static analysis scans, cloud-based hash analysis, and file entropy.
Threat scores are color-coded. The following color-coded threat score assigned to each threat is based on the severity and confidence of the detected threat.
| Threat Score | Color Code |
|---|---|
| 1-2 | Green |
| 3 | Combination of Green and Yellow |
| 4-6 | Yellow |
| 7 | Combination of Yellow and Orange |
| 8 | Combination of Orange and Red |
| 9-10 | Red |
Note: To automatically refresh this page with the latest sessions and their respective threat scores every 60 seconds, enable the Auto Refresh option on the top-right corner of the screen by toggling it to On.
Threat Score Contributors
The Threat Score Contributors column on the right side of this screen provides information on the subsystems contributing to the overall threat score of the content and alert generation.
Threat Details
Click Analysis > Threats. The right pane on the user interface displays sessions with their basic details in a tabular form. Basic details of these sessions include:
- Time – Session time when the PCAPs were captured off the network sessions.
- Source – Source IP address from where the threat originated.
- Destination – Destination IP address.
- Protocol – HTTP or SMTP protocol involved in the file transmission.
- VLAN – Virtual local area network ID of the collector.
- Collector – Collector host name.
- Threat Score – Overall threat score assigned to the file content.
- Events – Number of unique events that occurred out of the total number of events.
- For example: 4(1) indicates 1 unique event out of 4 events.
- Workflow Status – Current workflow status of the session that can be changed based on the session status using the available drop-down menu options.
- Actions – A link to click and view the detailed analysis report of the session involving the threat.
Note: For information on using available tips and options on the Threats page, refer the Other Options in the Analysis Pages section.
Quick Search Rules
Quick search in the Threats page appears on the left pane of the user interface and supports simple search text to be typed, which includes the IP addresses, IP address subnets, and hashes to search the desired sessions. Rules to be followed while using these items include:
- Regular expression for IP address pattern must be at least two ‘dot-separated’ IP address octets. For example: 8.8.
- Regular expression for IP subnets must be full IPv4 subnets in CIDR notation. For example: 192.168.0.0/24.
- Regular expression for hashes must contain 6 and more subsequent 0-9a-f characters or strings.
On clicking Search, if your search request did not match any of the above patterns, the search text will be transformed into a new pattern where all space characters are replaced with an underscore, and all wildcards * with [a-z0-9_]*. InQuest API then matches the signature names in its database against the resulting new text pattern, and searches and returns session results related to the matched signature.
If your search request further didn’t match any patterns, search is applied to any chunks having at least first three characters of a word. Also, the search engine makes characters (. / : & ? = % - @) as both word separators and parts of words. This means whenever you have signature containing 'qwer:tyui', you can match it with the text 'qwer', 'qwer:ty' as well as 'tyu'.
Quick Search Usage - An Example
Consider an example where you want to search and display threat sessions from March 01, 2018 till the current date.
- Click Analysis > Threats.
- In Time Interval, click From/To and using the calendar, select the From time to be 2018-03-01 00:00 and retain the To time as the default Now.
- Click Search. Sessions matching the above search text for the specified time interval are displayed on the right pane with their basic details.
Advanced Search
Columns available in the Advanced Search menu for the Threats page are:
- Destination IP
- Destination IP Country
- Destination Port
- Hash List
- File: MD5
- File: SHA1
- File: SHA256
- File: SHA512
- File: Event Id
- File: Signature Category
- File: Signature Full Name
- Protocol
- Collector
- Source IP
- Source IP Country
- Source Port
- Threat Score
- VLAN ID
- Header: Event Id
- Header: Signature Category
- Header: Signature Full Name
Select the column(s) and specify their respective criteria. You can also specify the session time from the Time Interval drop-down menu or select a date range from the built-in calendars by clicking the From/To option. Click Search to view the basic session details matching your specified columns and criteria on the right pane in a tabular form; each session with an individual threat score.
Advanced Search Usage- An Example
Consider an example where you want to do an advanced search to display sessions with the threat score less than 5 "or" the sessions that has Australia as the country's destination IP address since June 20, 2016 till date.
- Click Analysis > Threats > Advanced Search.
- From the Add Column drop-down menu, select Or as the conditional operator and select Threat Score as the column. This column gets added below with an option to select its criteria.
- Specify its criteria below by selecting < Less Than as its criteria and type 7 in its corresponding textbox.
- From the Add Column drop-down menu, select Destination IP Country.
- Specify its criteria below by selecting Equal and United States.
- In Time Interval, click From/To and using the calendar, select the From time to be 2018-03-01 00:00 and retain the To time as the default Now as highlighted in the following screen.
- Click Search. Sessions matching the above search columns and criteria for the specified time interval are displayed on the right pane with their basic details.
Basic details of each session displayed (for both the Quick Search or Advanced Search methods) include the session time when the PCAPs were captured off the sessions, source and destination IP addresses, protocol, VLAN, collector host name, threat score, unique events of the total events, workflow status of the session (that can be changed as required; provided you are assigned the permission), and a link to view the threat details.
Note: For viewing the detailed analysis report of a threat on a new screen, click the View link corresponding to that threat session in the Actions column. For more information, refer the Viewing Detailed Session Reports section.
