What do Suspicious Activity Alerts mean?

If you are receiving a Suspicious Activity alert, here is what you need to know
 

Overview

Untangle has many default alerts configured. They are located under Config > Events > Alerts.

Two of the default alerts are labeled as "Suspicious Activity"

suspicious.png

The default configuration for these alerts is set to alert you whenever the number of sessions from a single IP, to the specified protocol, exceeds a given threshold. In this case that threshold is 20 sessions over 60 seconds. 

NOTE: These alerts will be triggered even if the Untangle blocked each session. 

suspicious_ssh.png

The only reason that one IP would ever hit that threshold is if they are attempting some sort of brute-force entry. 

 

Was the traffic blocked?

Now you need to see if the session was allowed, or if it was blocked. If you are currently logging blocked traffic, then you can look for that blocked session in the reports.

Enable Logging of Blocked Sessions

 To determine if you are logging blocked traffic, go to Config > Network > Advanced > Options:

options.png

If you were already logging blocked sessions, you may be able to see the suspicious activity in the reports. If not, enabling it now will not help. 

However, if you take the information provided by the alert that was sent to you, you can look in the reports to see what happened with it. If it was blocked and you are not logging blocked sessions, then you won't be able to find anything. Which is GREAT!

 

How to read Alert Data

Here is how you can see what happened with that session.

In the alert below you will find a trove of information.

 

suspicious_alert.png

1. This is the destination IP of the session. It is the device that they were attempting to connect to. In reports this will be the "Server".

2. This is the IP of the device that was attempting to connect into your network. In reports, this will be "Client". 

3. This is the exact time that the number of sessions reached the threshold to trigger the alert. 

 

Taking the information from the alert, you can look into the reports for that date, time, and/or IP addresses. 

 

Related Articles for Next Steps 

Using Triggers to block RDP sessions

Reports FAQ

 

 

 

Follow
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk