Example 2: Monitor access to critical applications - BlueCat Edge - Service Point v3.x.x

BlueCat Edge Deployment Guide
Locale
English
Product name
BlueCat Edge
Version
Service Point v3.x.x

In this example, we will transparently monitor client access to critical applications without blocking. All client requests for these applications will be monitored and logged to enable investigation of client behavior.

Note: This example requires that you prepare a list of domain names used by critical applications.
Create a critical applications domain list
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter Critical Applications, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. In the Domains field, type the list of domains to monitor. You can press Enter after each typing each domain name, or you can type multiple domains on one line separated by commas and press Enter
  5. Click Save and Close.
Create a policy to monitor access to critical applications
  1. In the top navigation bar, click and select Policies.
  2. Click to create a new policy.
  3. For Name, enter Monitor Critical Applications, and for Description, enter a brief description for the policy.
  4. For Type, select Monitor, and set the slider to Active.
  5. In the Sites field, start typing the name of a site, and then select the site you want to apply the policy to.
  6. Expand the Domain List section, and in the Watch List field, start typing Critical Applications, and then select that domain list.
  7. Click Save & Apply.

Test the critical applications policy

Query any domain(s) from the critical applications domain list. You should receive a normal response.

View activity for a client that accesses a critical application
  1. In BlueCat Edge, select the DNS Activity view .
  2. In the Command bar, type /policyname Monitor Critical Applications, and press Enter. In the DNS Activity tab, you will see a list of queries from clients to your critical applications. From this list, select a specific clie IP address for further inspection.
  3. In the Command bar, clear the current filter and type /source 192.0.2.165 (where 192.0.2.165 is the select client IP address) and press Enter. The DNS Activity tab displays all of the queries the select client has made, internally and externally.
  4. Click the Threat Activity tab to see all of the queries the selected client has issued that were identified as a DNS threat.