Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

Organizations

This overview page is a list of all the organizations below the parent organization the user belongs to.

A sample Organization Dashboards screen

Depending on both the structural depth of the parent organization the user belongs to and the user’s role, the list shows all the sub-organizations or branches that belong to the parent organization. A branch is considered to be the final level of structural entity on which devices are assigned to.

Branches in this list have three buttons; Security Dashboard and Device Dashboards navigate to the Security Dashboard screen for that branch and to the list of its Device Dashboards respectively. Most active IPs is a new button which allows someone to navigate to the Active IPs screen (see the next section) for that branch. This button is enabled only when, for a given branch, there are logs received & processed by MOREAL during the last 24 hours. This button may not be available in blocked organizations due to quota restrictions.

On the other hand, sub-organizations (which are not branches per the terminology defined above) in this list have two buttons; the Security Dashboard button navigates to the sub-organization’s Security Dashboard. The Branches button navigates and to a deeper level list of the sub-organization that is consisted of its branches.


Most active IPs

The new Active IPs section is the entry point to IP profiles. For a given organization branch, this screen displays a list of the most active internal (i.e. within an organization) IPs as observed in the last 24 hours (or a configurable time-range).

Sample Active IPs page

Active IPs are ranked and selected based on the following metrics:

  • Total connections
  • Total firewall blocks
  • Total threat events

Selecting one of the listed IPs allows one to navigate to the IP Profile of this entity. For more information regarding the meaning of the above metrics please consult the MOREAL Metrics documentation.

Signatures

For each organization a new Signature button has been introduced for downloading a file with suggested Snort Rules.

The suggested signatures are produced by the ThreatIQ Decision Maker component.

For each organization we analyze the Decision Maker alerts in order to extract 
the most significant external IPs found in relevant ThreatDB alerts and threat events. 
Therefore, generated signatures  are provided to protect from specific external public IPs 
that have been reported either by ThreatDB or appliance’s threat events. 
For more information, refer to Decision Maker technical article

A SNORT Signature format is:

action proto src_ip src_port direction dst_ip dst_port (options)

A SNORT Signature example:

alert udp 94.66.56.38 any -> $HOME_NET 39139 (msg:"Possible malicious traffic from 94.66.56.38 detected";
flow:to_server; fast_pattern:only; metadata:ruleset community; classtype:malicious-traffic; rev:2017.7)

 

Information included in Signature file names:

  • Signatures
  • Organization ID as registered by MOREAL
  • Datetime in UTC (format:yyyyMMddHHmmss)

e.g  signatures_3_20171107115512.txt

 

Above file is updated every hour and contains last 7-day generated Signatures.

More information about the SNORT Signatures format can be found here.