Page tree

Contents

One of the largest issues encountered with any monitoring system is the eventual development of alarm fatigue. Alarm fatigue is a condition in which the brain begins to filter out repeated false alarms, and increases user danger. With this in mind, ThreatSTOP set out to develop a network threat alert system with the express intent of avoiding alert fatigue.

ThreatSTOP Alerts works by taking the filter conditions you've currently set for your reporting, and on clicking Save/Edit Alert saves those settings into a pre-defined alert that will email you when the filter conditions are met. If you find the initial alert to be questionable, you can then set a cool off period on a given alert for an hour in the future (the cool off must be set in multiples of one whole hour). If the alert repeats then it may bear further investigation.

Selecting your filter conditions is covered in DNS Firewall Reporting, and IP Firewall Reporting. Once defined and the Save/Edit Alert button is clicked, a pop-up will appear to save the new values.The filter conditions that are incorporated in an alert trigger are:

  • Severity: The severity level of the threat recorded, threat levels break down into five levels in order of increasing severity.

     Threat Severity Matrix, click to expand

    Threat Severity Levels
    • Severity 0 – No/Unknown Threat Level – Threat does not pose a significant risk of harm to your network
    • Severity 1 – Low Threat Level - Threat poses a low risk of harm to your network
    • Severity 2 – Low/Medium Threat Level - Threat poses a low-to-moderate risk of harm to your network
    • Severity 3 – Medium Threat Level - Threat poses a moderate risk of harm to your network
    • Severity 4 – Medium/High Threat Level - Threat poses a medium-to-high risk of harm to your network
    • Severity 5 – Highest Threat Level - Threat poses a very high risk of harm to your network

  • Devices: Contains a list of firewall devices currently associated with your account. This can help limit the returns to a specific firewall device.

  • Direction: Filters results to Inbound traffic, Outbound traffic, or both.
  • Client IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range.
  • Internal IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range for outbound traffic.
  • External IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range for inbound traffic.
  • Note:

    The Action Taken selections are all enabled by default, and will return data for each result. Unticking the box will hide returned data.

    A note about DNS Firewall filters vs. IP Firewall filters

    Due to the different nature of the firewall types, some fields are included in DNS firewalls that are not present in IP firewalls and vice versa. The following table breaks down which fields are exclusive to their respective filter:

    DNS FirewallIP Firewall

    Trigger Type

    • QNAME
    • RPZ-IP
    • NSDNAME
    • NSIP
    Direction
    Client IPInternal IP
    External IP

    Action Taken

    • Blocked (NXDOMAIN)
    • Blocked (NODATA)
    • Blocked (DROP)
    • Pass-through
    • Redirected

    Action Taken

    • Block
    • Allow

    Target Groups: Limits the returned Targets to the selected types.

  • Queried Name: Can be used to search for the existence of a domain name in the log files.
  • Action Taken: Limits results based on what actions were taken with the network traffic.

    • Blocked (NXDOMAIN): Network traffic is blocked with a "no such domain" error.

    • Blocked (NODATA): Network traffic is blocked with no data regarding the domain's existence.
    • Blocked (DROP): Network traffic is dropped, with no information provided to the requesting service.
    • Pass-Through: Network traffic is allowed to pass through to the requested system.
    • Redirected: Network traffic is pointed to a different location such as a Walled garden.
    • Block: Network traffic is blocked by the service.
    • Allow: Network traffic is allowed to pass through to the network.
  • Advanced Target Settings:
    • Only targets present in policy: This filter will limit the returned results to only those targets in the current policy, and not does not include returns from lists not included in the chosen policy.
  • Trigger type: Includes targets based on the action that triggered the firewall to take an action.
    • QNAME: the Qualified Name (QNAME) matches an entry in the RPZ.
    • NSDNAME: the Name Server Domain Name (NSDNAME) matches an entry in the RPZ.
    • RPZ-IP: the Response Policy Zone (RPZ) requested matches an entry in the RPZ.
    • NSIP: Name Server IP address (NSIP) matches and entry in the RPZ.
  • Policies: Limits returned data to the policy selected.

Date Range fields are not considered for alert programming as the trigger is provided in real time.

Note:

The Alert system will check the previous hour of logs for conditions that meet the alert trigger condition.

Available fields are:

  • Save as: Allows you to save the current filter as New, or to update an existing filter.
  • Title: A name for the report conditions, this can be set up to 100 characters.
  • Email Address: The primary email address to which alerts will be sent.
  • Email CCs: Up to three additional email addresses can be added to receive alerts.
  • Alert me after: This is the trigger to fire an alert email. If the conditions defined by the filter are met so many times in an hour then an email alert will be sent.
  • Don't alert me again for: Setting this field to 1 or more whole hours will allow a triggered alert to cool down for that time duration. This is useful for drawing attention to issues that are not immediately threatening, and to help mitigate false alarms and alarm fatigue.