Skip to main content

Classifying Blocked Traffic

Question

Does the Xshield security platform have the ability to classify the blocked traffic when the servers are fully enforced by zero trust policies.

Answer

Assets in enforced states will generate blocked traffic events for traffic that does not match the zero trust policies. These events will show under the Monitoring section on the Xshield security platform.

Today, the Xshield security platform has no built-in intelligence to inspect these blocked traffic and classify them for further action. This must be done by customers using their own playbooks.

This note provides some guidance on the type of playbook a customer can build to review and classify these blocked communications.

Inspection Criteria

The blocked traffic data collected by Xshield security platform can be sent to their SIEM, for SoC analyst to execute on.

Customer should review the following steps and incorporate it into their procedures.

  • Port/Protocol - verify if this service is allowed by the enterprise
  • Internet vs Intranet - verify against company IT policies on Internet and Intranet communications
  • source IPs : -- Managed assets tags (Location, environment, App, Role etc.)   -- Unmanaged IPs (CIDRs, Name networks
  • Destination IPs -- Managed assets tags (Location, environment, App, Role etc.)   -- Unmanaged IPs (CIDRs, Name networks

Classification

After the review, they should classify this as

  • Concerning and require an investigation
  • Benign can be ignored/dismissed
  • Misconfiguration talk to asset owner to fix this
  • Legitimate and modify the policy`