/
Network Activity

Network Activity

Owned by Steve Challans
Last updated: Sept 20, 2019

The current network activity screen provides an overview of common activity from a Cisco ASA firewall. The page provides an overview of many aspects of a firewall network usage including traffic flows over time, data allowed and blocked, IDS activity in this case Snort alerting, Firewall change activity with and admin access, source and destination IPs and ports and protocols. mapping of potential risky protocols and a drill through to see the raw data for the selected time. As with the other dashboards there is a date and time picker on the top right of the screen. The drill through at the bottom of the screen will show the details of the dashboards as the user clicks on either the status block or the dashboard element. 

Key indicators are:

  • Firewall general activity - spikes in usage can indicate abnormal activity which could be the result of a denial of service, data downloads or data be ex filtrated from the network. What is normal for one company may not be normal for another so threshold settings should be adjusted to suit the reporting needs for your company. 
  • Firewall accepted activity - this is activity allowed through the firewall.  Anything allowed in or out maybe normal or unauthorised activity depending if data is leaking out using approved protocols.  Many variations of malware and hackers link onto DNS, HTTP, HTTPS, SMTP protocols as they are allowed in most cases as staff need to access the internet. So spikes in activity can be an indicator of compromise.
  • Snort Events - if you have an IDS then you can adjust to report on your IDS syslog events.  in this example we can see variations of event types and the number of events per hour. Specific events like Web Application Attacks can mean that systems are under attack as the traffic is allowed through the firewall and is attacking the hosting web server. Spikes in activity may also indicate problems or someone probing your systems.
  • Cisco ASA Privileged Activity, Configuration Cleared, System Errors - these reports are all detailing the nature of any system access, with who was logging in and changing the configuration of the Cisco firewall. If these changes were not part of any approved change control then they should be investigated as part of incident management. 
  • Source and Destination Port Activity and Address Activity - these charts allow analysis of high usage systems ports and protocols.   Low usage ones that are trying to be hidden can also be highlighted by filtering out the busy systems. These charts allow the analyst to review and understand what is normal activity and traffic that may be unauthorised with information leakage or high volumes of traffic of data being ex filtrated out of the company. 
  • Risky Protocols by Port and Source and destination addresses - these charts report on firewall traffic that could be a potential risk.  As mentioned above hackers and malware often piggy pack traffic on known approved ports or us their own port. Depending on the firewall rules this traffic may be allowed in or out.  High usage on known malware ports or common ports should be reviewed to determine if this was approved traffic or unauthorised. 

v2 Dashboards




Related content

Insider Threat Activity
Insider Threat Activity
Snare Solutions
Read with this
Cisco ASA Activity
Cisco ASA Activity
Snare Central v8 Documentation
More like this
Fortigate Firewall Activity
Fortigate Firewall Activity
Snare Central v8 Documentation
More like this
Palo Alto Firewall Log Activity
Palo Alto Firewall Log Activity
Snare Central v8 Documentation
More like this
Cisco Network
Cisco Network
Snare Solutions
More like this
Windows Process Monitoring
Windows Process Monitoring
Snare Central v8 Documentation
More like this