Interactive features

Regardless of the display mode (line/grid), the values displayed in the log reading window offer two categories of interactions: ACTION and CONFIGURATION. Right-clicking opens a menu that offers the following actions:

Simple search mode

  • Add this value as a search criterion: shortcut for creating a criterion that searches for the value in the corresponding field and in the whole view. This search type is the same as dragging and dropping the value.
  • Go to the corresponding security rule: shortcut to open the Filter and NAT module and highlight the selected rule corresponding to the selected log line.
  • Copy the selected line to the clipboard: shortcut to copy data from the selected row of logs to the clipboard. The same action is performed when you click on Copy under the window displaying details of the selected row.

Advanced search mode 

  • generic_equal_16x16 Add a criterion for this field/value: shortcut for creating a criterion that searches for the value in the corresponding field and in the whole view shown. To avoid the repetition of the value sought, the corresponding column will be automatically hidden in the grid view. This search type is the same as dragging and dropping the value.
  • generic_different_16x16 Add a difference criterion to this value: shortcut for creating a criterion that searches for any value that is different from the one selected in the corresponding field and in the whole view shown.
  • Go to the corresponding security rule: shortcut to open the Filter and NAT module and highlight the selected rule corresponding to the selected log line.

IP addresses and host objects

  • Search for this value in the "All logs" view : shortcut to open the "All logs" view filtered by the selected value.
  • Check this host: shows the filter or NAT rules in which this host is used.
  • Show host details: opens a window showing additional information about the selected host. The following information is given:
  • Public IP address reputation,
  • Geolocation,
  • Host reputation,
  • Classification of the URL (to which the host has connected),
  • Vulnerabilities,
  • Applications (Internet browsers, mail clients, etc.),
  • Services,
  • Information (detected operating system, etc.),
  • Time taken to respond to the ping and network path (traceroute) to contact the host.
  • Reset this object's reputation score: by clicking on this menu, the reputation score of the selected object will be reset to zero.
  • Blacklist this object: makes it possible to place a host, IP address range or network in a blacklist (quarantine). The firewall will therefore reject such selected objects for a specific duration, which can be set in the sub-menu for this action:
  • For 1 minute,
  • For 5 minutes,
  • For 30 minutes,
  • For 3 hours.
    Once this duration has lapsed, the object in question will be allowed to go through the firewall again as long as it complies with the active security policy.
  • Show IoCs: clicking on this menu will redirect you to the Stormshield Security website and show the security details of the selected object:
  • IP address,
  • Country of origin,
  • FQDN
  • Reputation category or associated web service if they have been set on the firewall.
  • action_add_object_16x16 Add the host to the object base and/or add it to a group: this option makes it possible to create a host and/or add it to a group from a log file. As such, a host that has been identified as vulnerable can, for example, be added to a group with a strengthened protection profile. (cf. Technical Note Collaborative security).
    This option appears on fields that contain IP addresses (source, destination) or object names (source name, destination name). A window will appear, in which you can:
  • Save the object in the database if it is an IP address,
  • Select the appropriate object if the IP address corresponds to several objects,
  • Add it to an existing group. This group may correspond to a quarantine of predefined vulnerable objects.

In addition to the interactions listed above, scrolling over a source IP address or the name of a source host will display a tooltip that shows the following information (if the administrator has obtained the "Full access to logs (private data)" privilege:

  • Name of the host if it has been defined in the objects database,
  • IP address of the host,
  • Host’s operating system,
  • Number of vulnerabilities detected for the host.

URL

  • Search for this value in the "All logs" view : shortcut to open the "All logs" view filtered by the selected value.
  • Show host details: opens a window showing additional information about the selected host. The following information is given:
  • Public IP address reputation,
  • Geolocation,
  • Host reputation,
  • Classification of the URL (to which the host has connected),
  • Vulnerabilities,
  • Applications (Internet browsers, mail clients, etc.),
  • Services,
  • Information (detected operating system, etc.),
  • Time taken to respond to the ping and network path (traceroute) to contact the host.
  • Reset this object's reputation score: by clicking on this menu, the reputation score of the selected object will be reset to zero.
  • Blacklist this object: makes it possible to place a host, IP address range or network in a blacklist (quarantine). The firewall will therefore reject connections to and from such selected objects for a specific duration, which can be set in the sub-menu for this action:
  • For 1 minute,
  • For 5 minutes,
  • For 30 minutes,
  • For 3 hours.
    Once this duration has lapsed, the object in question will be allowed to initiate or accept connections as long as it complies with the active security policy.
  • Show IoCs: clicking on this menu will redirect you to the Stormshield Security website and show the security details of the selected object:
  • IP address,
  • Country of origin,
  • FQDN
  • Reputation category or associated web service if they have been set on the firewall.
  • action_add_object_16x16 Add the host to the Object base and/or add it to a group: this option allows creating a host and/or adding it to a group from a log file. As such, a host that has been identified as vulnerable can, for example, be added to a group with a strengthened protection profile. (cf. Technical Note Collaborative security).
    This option appears on fields that contain IP addresses (source, destination) or object names (source name, destination name). A window will appear, in which you can:
  • Save the object in the database if it is an IP address,
  • Select the appropriate object if the IP address corresponds to several objects,
  • Add it to an existing group. This group may correspond to a quarantine of predefined vulnerable objects.
  • Description : action_add_object_16x16 Add the URL to a group: this option makes it possible to add a URL to a group from a log file. As such, URLs that have been identified as malicious or undesirable may, for example, be added to a customized group that will be subject to URL filtering.
    This option appears on fields that contain URLs (destination name). A window will appear, enabling:
  • URLs to be added to an existing group. This group may correspond to a category of prohibited URLs, for example.

In addition to the interactions listed above, scrolling over a destination URL will display a tooltip that shows the following information (if the administrator has obtained the "Full access to logs (private data)" privilege:

  • Domain name,
  • Corresponding IP address.

Ports

  • Description : action_add_object_16x16 Add the host to the object base and/or add it to a group: this option makes it possible to create a host and/or add it to a group from a log file. As such, services that have been identified as vulnerable or undesirable may, for example, be added to a group of prohibited services in filter rules.
    This option appears on fields that contain port numbers or service names (source port, destination port, , name of the source port, name of the destination port, etc). A window will appear, enabling:
    • The object to be saved in the database if it is a port number,
    • Add it to an existing group. This group may correspond to a category of prohibited services.

In addition to the interactions listed above, scrolling over a port name will display a tooltip that shows the following information (if the administrator has obtained the "Full access to logs (private data)" privilege:

  • Port object name,
  • Port number or range of corresponding ports,
  • Protocol,
  • Comments defined in the port object.

Network packets

  • Export the packet: this option makes it possible to export the captured packet in pcap format in order to analyze it using tools such as Wireshark. To start capturing packets, the checkbox Capture the packet that raised the alarm must be selected in the configuration of the alarm in question (Application protection > Applications and protections module > Advanced column > click on Configure).

Alarms view

  • Configure the alarm: shortcut to open the Applications and Protections - By inspection profile module with the relevant alarm selected automatically.

System events view

  • Configure the system event: shortcut to open the System events module with the relevant event selected automatically.