Network Devices
Overview
Monitoring and analyzing logs from network devices such as firewalls, routers, and switches to detect and respond to network-related threats, anomalies, and performance issues.
Sample products
- Cisco ASA Firewalls
- Juniper Networks SRX Series Firewalls
- Palo Alto Networks Next-Generation Firewalls
- Fortinet FortiGate Firewalls
Use Case Categories
Category | Description |
---|---|
Network Intrusion Detection | Focuses on detecting and responding to malicious activities or security threats, such as unauthorized access attempts, malware, and other suspicious behavior. Provides real-time alerts for timely mitigation and prevention of security incidents. |
Traffic Anomaly Detection | Identifies abnormal patterns and deviations in network traffic, helping to detect potential security threats or performance issues. Analyzes data flows, bandwidth usage, and communication patterns to ensure the integrity and availability of the network. |
Network Performance Monitoring | Monitors and assesses the overall health and performance of the network infrastructure. Collects and analyzes data related to latency, bandwidth utilization, packet loss, and other key performance indicators to optimize network efficiency and ensure optimal user experience. |
Core Use Cases
Alert Name | Description |
---|---|
Anomaly-based Intrusion Detection | Utilizes anomaly-based detection in network device logs to identify deviations from normal network behavior. Alerts triggered for unusual traffic patterns, unexpected data volumes, or abnormal connection attempts. |
DNS Tunneling Detection | Monitors DNS requests in network device logs to detect potential DNS tunneling activities. Alerts triggered for unusual DNS query patterns, multiple subdomains, or high-frequency DNS requests. |
Port Scanning Detection | Focuses on identifying port scanning activities in network device logs. Alerts triggered for repetitive connection attempts to multiple ports, indicating potential reconnaissance or scanning behavior. |
Bandwidth Spike Detection | Monitors network device logs for sudden spikes in bandwidth usage. Alerts triggered for unexpected increases in data transfer volumes, helping identify potential network congestion or abuse. |
Unusual Protocol Usage Detection | Analyzes network device logs to detect anomalies in protocol usage. Alerts triggered for unexpected or unauthorized protocols in network traffic, identifying potential security risks or policy violations. |
DDoS Attack Detection | Monitors network device logs for signs of Distributed Denial of Service (DDoS) attacks. Alerts triggered for high-frequency connection attempts, unusual traffic patterns, or multiple requests from suspicious IP addresses. |
Protocol Violation Detection | Focuses on detecting violations of network protocols in device logs. Alerts triggered for instances where network traffic does not adhere to expected protocols, identifying potential malicious activities or misconfigurations. |
Latency Monitoring | Monitors network device logs for latency issues. Alerts triggered for abnormal delays in data transmission, identifying potential network performance problems or suspicious activities. |
Packet Loss Detection | Analyzes network device logs for packet loss occurrences. Alerts triggered for instances of dropped or missing packets in network traffic, indicating potential network instability or attacks. |
Bandwidth Utilization Monitoring | Focuses on monitoring bandwidth utilization in network device logs. Alerts triggered for sustained high or low bandwidth usage, helping organizations optimize network resources and detect potential abuse or misconfigurations. |
Device Health Monitoring | Monitors the health of network devices through logs. Alerts triggered for abnormal device behaviors, hardware failures, or connectivity issues, allowing proactive identification of potential network infrastructure problems. |
MITRE ATT&CK
T1107, T1560, T1071, T1568, T1046, T1168, T1057, T1040, T1606, T1571, T1498, T1499, T1475, T1601, T1570