Security - BlueCat Edge - Service Point v3.x.x

BlueCat Edge User Guide
Locale
English
Product name
BlueCat Edge
Version
Service Point v3.x.x

The Security page contains information regarding potentially compromised source IP addresses, identified by suspicious activity observed within BlueCat Edge. From this page, you can examine the activities associated with these potentially compromised source IPs, including threat indicators and a list of malicious domains linked to the observed threats. If you determine any of the listed domains to be harmful, you can add them to a domain list or create a new one for ongoing monitoring and appropriate action as needed.

Viewing Security activity

  1. In the BlueCat Edge window, click .
  2. Under Source IP health, click on different portions of the graph to filter the compromised source IP results based on the severity value.
  3. Under Site health, click next to the name of the site to filter the compromised source IP results based on the value of that field.
  4. Select the dropdown field within Site health to order the sites based on the following criteria:
    • Site name (asc)
    • Site name (desc)
    • Number of compromised source IPs (asc)
    • Number of compromised source IPs (desc)
    • Severity magnitude (asc)
    • Severity magnitude (desc)
  5. Within the Total threats, click on different graph categories to filter the compromised source IP results based on the threat type value.
  6. Click to filter the compromised source IPs data on additional parameters:
    • Site: Sets the data filter for the specified site name.
    • Severity Level: Sets the data filter for the specified severity level (Critical, High, Medium, Low).
    • Threat Type: Sets the data filter for the specified threat type (Typosquat, Tunneling, DGA, Rebinding, Crowdstrike Falcon).
    • Source IP: Sets the data filter for the specified source IP address.
    • Domain Name: Sets the data filter for the specified domain name.
  7. Click to download the report in CSV format.
  8. To view detailed information about a compromised source IP, click the source IP.

    In the compromised source IP information panel, you can view information about the severity of the threat, the site in which the query was received, the associated threat types, and the domains that the source IP address was querying.

Adding suspicious domains to a domain list

If you determine that the domains that were queried by the source IP address are suspicious, you can add the domains to a new or existing domain list.
  1. Click the compromised source IP from the list to load the details panel.
  2. On the detail panel, select the checkbox next to one or more domain lists.
  3. Click Add to domain list.
  4. Under Step 1, click Add to an existing domain list or Create a new domain list and click Next.
  5. If you selected Add to an existing domain list:
    • Type the name of an existing domain list to search for and select the radio button next to the domain list that you would like to add the domains to.
    • Click Next.
    If you selected Create a new domain list:
    • Under Name, enter the name of the domain list that you would like to create.
    • Optionally, under Description, enter a description of the domain list.
  6. Review the summary of the domains that will be added to the specified domain list.
  7. Click Confirm.

Once you have added the suspicious domains to the domain list, navigate on the Domain lists page to view the new or updated domain list. You can then create a policy that uses the domain list and applies actions to the domains. For more information on policies, refer to Policies.