Blog :: Network Security

Building a geo attack map with the Scrutinizer API


Every once in a while I get the opportunity to sit down and work on things that are outside of the box when it comes to Scrutinizer. Well, this month was the perfect one for that. For a long time, I’ve wanted to create a geolocation-based heatmap of countries that are being visited on the network. Honestly, I have always had a fondness for heatmaps and attack maps, specifically geo-heatmaps. With that in mind, I decided to build a script that outputs countries and their hits. I’ll then take that data and populate an open source digital heat/attack map.

Geo attack map

Why, you might ask? I mean, we already have a Top Countries gadget. Why do we need something else? Good question! The value for this experiment is twofold.

First, having a different way to see dynamic data is always a good option. NetOps sees things differently than SecOps, right? As I’ll demonstrate, the value of being alerted and then seeing that threat on a dynamic global attack map would be extremely valuable to the SecOps team.

Second, this is also a great example of how Scrutinizer can be extremely flexible and can accommodate many of the unique requests that our customers ask for.

First, let’s create the report

You have a lot of flexibility with Scrutinizer. With it, you can easily create a report of countries and the source or destination of their associated conversations, but you are not limited to just that. As a matter of fact, one of our most talented support engineers used a similar model in her post about using metadata for IoT Security.

Scrutinizer report filters

Remember, Scrutinizer can filter and build a report on any of the elements that are provided in the exporter’s flow. For my example, I’ll create a simple five-minute report that uses data from my core router.

As expected, most of our traffic was coming from the US. Next on the list was a section marked “UNKNOWN.” The unknown traffic is usually internal traffic that we can’t detect and assign a geolocation to. In my case, I decided to exclude both the US and unknown traffic from my report. This gave me a clearer picture of international traffic on our network. As a side note, you could build an IP group that defines your internal IPs and exclude that. This method would allow you to comfortably lessen the amount of unknown traffic you see in the report, while still giving you visibility into anything UNKNOWN that popped up. This way, you would still be aware if something abnormal was happening.

Finally, I made sure to save the report and then moved on to building an alert that would monitor this traffic.

Next, let’s add an alert

Now that I have the data that I wanted, I need to build an alert that notifies me when a certain country exceeded a certain level of traffic.

Scrutinizer: adding an alert

To do this, I clicked on the Filter button located on the left side of the screen under Device Manager. In the new popup window, I clicked on the Threshold option. Here I can set the threshold for the report I just created. You will see that there are two options to base the threshold on: Total or Per row. As you might have guessed, the total option bases the threshold on the total amount of traffic generated. In this case, I decided to set the threshold per row on the report, since I was more interested in traffic per country.

After a quick look at my data, I figured out that anything above 1M of traffic per the non-filtered countries might be something that I would want to investigate further. Now all I had to do was click the Save Threshold button and the threshold was set!

Notification profile

The next popup screen asks you which notification profile you want to use. Remember that the notification profile is a list of actions that can be taken when the threshold is violated. Here I chose my tried and true testJimmyd profile, which will send an email alert to two email addresses. REMEMBER: you are not just limited to sending emails with your alerts. To learn more, check out the Creating Thresholds and Notifications section of the Scrutinizer manual.

Finally, let’s get the data

Scrutinizer Reporting API: raw data for attack map

Now that I can see the data that I am looking for, and I’ve added a threshold to create a monitoring tool, I need to get the raw data so I can integrate it with the external geo-heatmap engine.

One of the stronger features of the Scrutinizer Reporting API is the ability to grab the raw data from any report that you generate. Best of all, Scrutinizer will provide you with a standardized JSON object that can be easily called from other applications or scripts.

To generate the JSON call, all you have to do is click on the Filter button and then from the popup window, select the Report JSON (API) tab. Now copy this info and use it to build the integration script needed for the mapping engine.

To learn more about the our reporting API engine, check out the Using the Reporting API section of the Scrutinizer manual. In my next post, we will use Python to generate the data, automate its creation, and build the call needed to generate the attack map. Until then, remember this: in today’s world there isn’t a one-stop solution to network security. The ability to easily integrate data into another application is what makes the strongest toolbox. Are you looking for conversation-rich visibility along with the flexibility to integrate that data into your current environment? Why not evaluate Scrutinizer?