You are here: Webhelp > iCenter

Chapter 4 iCenter

This feature may not be available on all platforms. Please check actual page in system to see whether your device delivers this feature.

The multi-dimensional features show all the critical assets, risk computers, and threats to the whole network in depth. threats of the whole network.

Critical Assets

The Critical Assets page displays the detailed information of the critical assets and the related threat information. Click iCenter and the Critical Assets page will display then.

Click the link of the critical name in the list to view the following information of this critical asset:

  • Detailed information: Display the name of the critical asset, the ComputerName/IP (If the computername cannot be identified, IP will be displayed), operating system, status, zone, risk level (the white line points to the risk level of this critical assets), and certainty.
  • Threat information: Displays the kill chain, threats, and mitigation.
    • In the Kill Chain tab, view the attacks and threats to this critical asset that exist in each stage of the kill chain. A highlighted stage means there are attacks and threats in this stage. Click this stage to display all threat information in this stage. Click the threat name in the list to view the threat information.
    • In the Threats tab, view all attacks and threats from or to the critical asset.
    • In the Mitigation tab, view the mitigation actions and the mitigation rules.
  • Statistical information: The statistics about the applications, traffic, and connections related to the critical asset, including the statistic that the critical asset is the source IP of the sessions, the statistic that the critical asset is the destination IP of the sessions, and the statistic that the critical asset is source IP or destination IP.
  • Internal connection: The Risk Computers tab displays the computer information that interacts with the critical asset, the Address tab displays traffic and new sessions of IPs that interact with the critical asset, the Application tab displays traffic and new sessions of applications that interact with the critical asset.

Risk Computers

Computer risk refers to the attacker computer and the victim computer. Based on the threat level, the Risk Computers tab displays the statistics of all risk computers and threat information of the whole network. Select iCenter > Risk Computers.

Click a computer name link on the list to view detailed information about the risks, kill chain, and threat details.

  • Detailed information: Displays the computer name/IP (if the computer name cannot be identified, the IP will be displayed), operating system, status, zone, risk level (the white line points to the risk level of this critical assets), and certainty.
  • Kill Chain: View the threat about the risk computer in each phase of the kill chain.
  • Threats: View all the threats about the risk computer.
  • Mitigation: View all of the mitigation rules and the mitigation action results details of mitigation rules.

    For a Mitigation function introduction, see Mitigation.

Click a threat name link in the list to view the detailed information, source/destination, knowledge base and history about threat. For a detailed description , see the next section Threat .

Threat

Threats tab statistics and displays the all threats information of the whole network within the Specified Period. Click iCenter, and click Threat tab.

Click a threat name link in the list to view the detailed information , source/destination, knowledge base and history about the threat.

  • Threat Analysis: Depending on the threats of the different detection engine , the content of Threat Analysis tab is also different.
    • Anti Virus/IPS: Display the detailed threat information and view or download the evidence packets.

      For the Anti Virus/IPS function introduction, see Anti-Virus/ Intrusion Prevention System.
    • Attack Defense/Perimeter Traffic Filtering: Display the threat detailed information.

      For the Attack Defense/Perimeter Traffic Filtering function introduction, see Attack-Defense/Perimeter Traffic Filtering.
    • Sandbox Threat Detection: Display the detailed threat information of the suspicious file.

      For the Sandbox function, see Sandbox.
    • Abnormal Behavior Detection: Display the abnormal behavior detection information.

      For the Abnormal Behavior Detection function introduction, seeAbnormal Behavior Detection.
    • Global Blacklist:Display the global blacklist information.

      For the Global Blacklist function introduction, see Global Blacklist.
    • Advanced Threat Detection: Display the advanced threat detection information, malware reliability information etc.

      For the Advanced Threat Detection function introduction, see Advanced Threat Detection.
    • Anti-Spam:Display the spam filter information, such as sender and subject of spam.

      For the Anti-Spam information, see Antispam.

  • Knowledge Base: Display the specified threat description, solution, etc. of the threats detected by IPS , Abnormal Behavior Detection and Advanced Threat Detection.
  • Threat History: Display the selected threat historical information of the whole network .
  • Admin Action: Click to modify the threat state(Ignore, Confirmed, False Positive, Fixed)


Threat Intelligence

System support to upload some elements in the logs generated by each module to the cloud platform, such as IP address, domain, etc. The cloud platform will check whether the elements have threat intelligence through the threat center. You can view threat intelligence information related to elements through the threat intelligence center.

In the threat list, click the threat intelligence icon to display the threat intelligence of the specified object, or hover your cursor over a object, and there is a button to its right. The button appears on the right. Click this button and select "View threat intelligence".

Threat Intelligence display information description.

Option Description
Details
Basic Properties Display the network, country, Province, ASN and regional internet registry of the element.
IP WHOIS Display the detail of the IP address, including IP User and information.
IP Reverse Lookup
Passive DNS Replication Display the history of the IP address resolved into a domain name, including resolve date and domain.
RDNS Record Display the history of reverse resolution, that is, the record of domain name resolved into IP address.
Related Samples

Downloaded Files

Display the lasted files downloaded from this IP address.

Contacting Files

Display the lasted files contract this IP address when excuted.

Referring Files

Display the lasted files contains this IP addres.

Related URLs

Display the lasted URLs observed by threat intelligence on this IP address.

SSL Certificate

HTTPS Certificate

Displays the lasted certificate observed with HTTPS connection to the IP address.

White List Management

With the complexity of the network environment, the threat of the device will generate more and more warning. The generated threat events can be processed by changing the state of threat (refer to Admin Action), in order to make users more convenient to deal with the occurrence of future threats, the system provides a global threat white list function. The threat white list consists of a threat name, source address, and destination address, and when a subsequent threat event matches the threat white list, the system will record the count of hits and no longer report the threat.

Creating a White List

To create a threat white list, take the following steps:

  1. Click iCenter, and select Threat tab.
  2. Select the threat entries that need to be added to the white list, and click the threat name link in the list to open the Threat page.
  3. Clickto open the Admin Analysis page.
  4. Click Create White List button.
  5. Click OK.

Viewing the White List

To view the threat white list entries, take the following steps:

  1. Click iCenter.
  2. Click Whitelist Management tab.

Mitigation

For the Mitigation function introduction, see Mitigation.

Hot Threat Intelligence

Hot threat intelligence page displays the intelligence of hot threats on the Internet, including IPS vulnerability, virus and threats detected by the cloud sandbox. You can view the details of the hot threats, or carry out protection operations to prevent them.

Click iCenter> Hot Threat Intelligence to enter the Hot Threat Intelligence page. By default, the threats intelligence list shows the information of the latest year, including the release time, name, type, protection status and operation.

  • Select a time period from the Release Time drop-down list to filter the threat information of the specified time period. Click to add conditions to filter threat information as needed.
  • Click the button after "Hot Threat Intelligence Push”. If it’s enabled, Hillstone Cloud server will push the latest hot threat intelligence to system , and once system gets threat intelligence from the Hillstone Cloud server, it will be notified in the form of pop-up window. Otherwise, Hillstone cloud platform will no longer push the latest hot threat intelligence. Meanwhile, the previously received threat intelligence can only be viewed, and relevant protective operations are not allowed.
  • Select one threat intelligence item in the list and the corresponding threat details and protection logs will be displayed below the list.
    • Threat Details: You can view the detailed threat information, including the release time ,the name, signature ID, severity, details, solutions, affected systems and other information (the items may vary slightly for different types of threat).
    • Option

      Description

      Release TimeDisplays the release time of threat intelligence.
      Threat Intelligence NameDisplays the threat intelligence name.
      Signature IDDisplays the corresponded signature ID of the IPS signature database of the threat intelligence.
      SeverityDisplays the severity of threat intelligence.
      DetailsDisplays the details of threat intelligence.
      SolutionDisplays the solutions to the threat .
      Affected SystemsDisplays the name of operating system that the threat will affect.
      CVE IDDisplays the CVE ID and link of the threat. Click the link address, and a new page will be opened, where you can view the CVE details.
      Reference InformationDisplays links of the reference information about the threat. Click the link address and a new page will be opened, where you can view details of the reference information.
    • Protection Log: If system has been attacked by the threat described in the threat intelligence in the latest month, the protection logs will be displayed. If not, the protection log is empty.
  • Click the threat intelligence name in the list or the corresponded operation ("Protect Now" or "View Details") in the "Operation" column, and the < Hot Threat Intelligence > dialog box will pop up. You can view the information about the hot threat intelligence in the dialog.

  •  
    • Click <Threat Summary> to view the information about the threat.

    • For some threats in the "unprotected" status, you can see the corresponding protection solutions in the <Solution >tab. Click the links in sequence according to the steps in the solution, and configure the related functions. Only when you finish all the steps in one solutions (multiple solutions, at least one solution), the threat intelligence status will become "Protected".

    • o For some threats in the "unprotected" status, the < Solutions> tab will not be displayed and you need to take the protective measures on other websites or servers, but system provides some solutions in the <Threats Details> tab. After the threat is protected, click Confirm As Protected button and the status of threat intelligence will be changed to "Protected".

      For the threat in the "Protected" status, if it’s protected by system, you can click < Protection List >to view the protective measures, and click "View Details" to view details of the protective measures.
Because the operation steps in the < Solution >tab are correlated, please follow the steps of the solution in turn. For example, if the signature database has not been upgraded, the signature ID will not be shown, and subsequent protections may be unavailable. Or after the signature database is upgraded, the subsequent steps may change or some of the subsequent steps may be omitted.

Viewing Hot Threat Intelligence

System will obtain and download the latest threat intelligence information from the Hillstone cloud server at the set time every day or when you log in to system, and the information will be upgraded in the hot threat intelligence list.

When you enable the "Hot Threat Hot Threat Intelligence Push" function, once system gets a new intelligence, the notice of New Threat Intelligence will display in the upper right corner of the page. Hover the mouse over the notification, click "details", and the page will jump to the hot threat intelligence page. On the iCenter> Hot Threat Intelligence page, the new threat intelligence will be displayed in the form of pop-up windows for users to view.