Cyber Network Map

Owned by Svetlana Sheptiy
Last updated: May 16, 2024
3 min read

Overview

Available since Snare Central version 8.5.0

An interactive 3D globe and a world map provide the capability to visualize and explore the geo-located source and destination data associated with a range of firewall, router and web-related logs. 
The incoming logs of the following types are displayed:

since v8.5.0:

  • Cisco ASA (PIXLog)

  • Cisco FTD (IPS)

  • Web Logs (IIS and Apache weblogs)

  • Pan Firewall (PaloAlto)

  • IPTables Firewall

since v8.6.0:

  • Cloud Logs

  • AWSVPCFlowLog

  • AzureAZFWNatRule

  • AzureAZFWNetworkRule

  • AzureFirewallNetworkRule

  • Snort

  • SonicWall

  • CiscoRouterLog

  • Fortigate

  • FortiGateEventWAD

  • FortiGateIPS

  • FortiGateEventHA

  • FortiGateAnomaly

  • FortiGateICAP

  • FortiGateGTP

  • FortiGateEventSystem

  • FortiGate

  • FortiGateDLP

  • FortiGateEventUser

  • FortiGateAppCtrl

  • FortiGateEventSecurityRating

  • FortiGateDNS

  • FortiGateWAF

  • FortiGateWebFilter

  • FortiGateEventSDWAN

  • FortiGateTraffic

  • FortiGateCIFS

  • FortiGateEventRouter

  • FortiGateEmailFilter

  • FortiGateEventFortiExtender

  • FortiGateEventWireless

  • FortiGateFileFilter

  • FortiGateSSL

  • FortiGateEventConnector

  • FortiGateEventEndpoint

  • FortiGateAntivirus

  • FortiGateSSH

  • FortiGateVoIP

Note: both 3D globe and world map show maximum 500 unique events at a time. The chart lines are updated every 3 seconds.

Hint: Use mouse to rotate the 3D globe.

Hover over a source or destination point on the globe or a map to view the details of the event.

Action Buttons

Switch to world map view

Switch to 3D globe view

Zoom In

Zoom Out

Interactive Legend

The interactive legend on the right-hand side lists currently charted log types.

Click on the legend item to hide or display the logs of each type.

Data Tables

Data Tables display the number of events received by Snare Central since opening this page. Data is grouped by event fields, such as:

  • Log Type

  • Source Country

  • Destination Country

  • Source Address

  • Destination Address

  • Source Port

  • Destination Port

  • Action

  • Protocol

In collapsed mode each Data Table displays only the item with the highest count will be displayed.

Each table can be expanded to show top 10 most common values for the corresponding field.

Drill Down

Explore the events for each counter by clicking on a row in the Data Table.

This will open a new browser tab with pre-filled “Events Search” field values.
Review the query, refine it as desired, and run the search to see all the events that match your requirements.

Note: the query will use the local browser date/time when you opened the Cyber Network Map, as a match term. Note though, that if your log data comes from a different timezone, or has a date/time that is slightly out of sync with your workstation, the actual event time may differ. Hence, the time in the query may need to be manually adjusted to widen the search.

Configuring Geo-Location of Local Network IP Addresses

Some events may include local/private IP addresses or hostnames, which cannot be geolocated on the map by default. In order to correctly place these events on the map, a translation matrix will need to be defined in the objective: System > Administrative Tools > Configure GeoLocation for Mapping.