How to analyze Network Threat Protection reports and logs
About the information in the Network Threat Protection reports and logs
Network Threat Protection logs allow you to track a computer's activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections.
Network Threat Protection logs contain details about attacks on the firewall, such as the following information:
Changes that were made to executable files
Network Threat Protection logs collect information about intrusion prevention. They also contain information about the connections that were made through the firewall (traffic), the registry keys, files, and DLLs that are accessed. They contain information about the data packets that pass through the computers. The operational changes that were made to computers are also logged in these logs. This information may include when services start and stop or when someone configures software. Among the other types of information that may be available are items such as the time and the event type and the action taken. It can also include the direction, host name, IP address, and the protocol that was used for the traffic involved. If it applies to the event, the information can also include the severity level.
The table below describes some typical uses for the kind of information that you can get from Network Threat Protection reports and logs.
Report or log
Top Targets Attacked
Use this report to identify which groups, subnets, computers, or ports are attacked most frequently. You may want to take some action based on this report. For example, you might find that the clients that attach through a VPN are attacked much more frequently. You might want to group those computers so that you can apply a more stringent security policy.
Top Sources of Attack
Use this report to identify which hosts attack your network most frequently.
Top Types of Attack
Use this report to identify the types of attack that are directed at your network most frequently. The possible types of attack that you can monitor include port scans, denial-of-service attacks, and MAC spoofing.
Top Blocked Applications Blocked Applications Over Time
Use these reports together to identify the applications that are used most frequently to attack your network. You can also see whether or not the applications being used for attacks have changed over time.
Attacks over Time
Use this report to identify the groups, IP addresses, operating systems, and users that are attacked most frequently in your network. Use it to also identify the most frequent type of attack that occurs.
Security Events by Severity
Use this report to see a summary of the severity of security events in your network.
Top Traffic Notifications Traffic Notifications Over Time
These reports show the number of attacks that violated the firewall rules that you configured to notify you about violations. You configure this data to be reported by checking the Send Email Alert option in the Logging column of the Firewall Policy Rules. Use Traffic Notifications Over Time to see how the attacks increase or decrease or affect different groups over time. Use them to see which groups are most at risk of attack through the firewall.
Use this report to see the information that appears in all the Network Threat Protection quick reports in one place.
Use this log if you need more information about a specific traffic event or type of traffic that passes through your firewall.
Use this log if you need more information about a specific packet. You may want to look at packets to more thoroughly investigate a security event that was listed in a report.
Use this log if you need more detailed information about a specific attack that occurred.
The Traffic, Packet, and Attacks logs are accessed from the SEPM's Monitors tab, Logs, Network Threat Protection. The other reports can be accessed through the SEPM's Reports tab, Quick Reports, Network Threat Protection.