Web Activity

by David Schwalenberg
May 14, 2014

This dashboard presents web activity detected in the last 72 hours, with some 7-day trending. This dashboard can be used to monitor web accesses and look for suspicious or potentially unauthorized activity.

For a procedure to get sorted lists of websites accessed, see Use SecurityCenter to Obtain a List of Websites Accessed.

The dashboard and its components are available in the SecurityCenter Dashboard app feed, an app store of dashboards, reports, and assets.

The dashboard requirements are:

  • SecurityCenter 4.8
  • PVS 4.0.1
  • LCE 4.2.2

Note that this dashboard relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.

Listed below are the included components:

  • Web Activity - Suspicious Activity Detected in Last 72 Hours - This matrix presents detections of potentially suspicious web activity that have occurred in the last 72 hours. Red indicators signify activity of high severity; orange indicators signify activity that is less severe, but warrants further investigation.
  • Web Activity - SSL Activity Detected in Last 72 Hours - This matrix presents informational indicators of SSL events that have occurred in the last 72 hours, including access to cloud file storage, access to social media (such as Facebook or Twitter), access to media/communication services (such as Netflix or Skype), access to anonymous proxy services (which allow anonymous access to the Internet), access to services commonly used for sensitive data, and access to services used for processing credit card transactions.
  • Web Activity - Top-Level Domain Accesses in Last 72 Hours - This matrix presents informational indicators of top-level domains of interest accessed in the last 72 hours. This component can be altered to add or remove top-level domains of interest as needed. These indicators use the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). This component can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filter for these indicators. Note that the PVS-DNS_Top_Level_Domain_Queries event is not used here, as its output will not necessarily be limited to the last 72 hours.
  • Web Activity - Potentially Unauthorized Accesses in Last 72 Hours - This matrix presents warning indicators of popular but potentially unauthorized domains of interest accessed in the last 72 hours. This component can be altered to add or remove domains of interest as needed. These indicators use the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). This component can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filter for these indicators.
  • Web Activity - 7-Day Trend of SSL Activity - This chart presents a 7-day trend graph of various SSL events, including access to cloud file storage, access to social media (such as Facebook or Twitter), and access to media/communication services (such as Netflix or Skype).
  • Web Activity - 7-Day Trend of Potentially Unauthorized Accesses - This chart presents a 7-day trend graph of accesses to popular but potentially unauthorized domains, including several games, video, dating, torrent, and porn sites. This component can be altered to add or remove domains of interest as needed. This chart uses the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). This component can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filter in each series.