Views:

Network Groups

By configuring network groups, DDI can determine whether detected attacks originate from within or outside the network, and the group name information registered will be reflected in detection logs and reports. For example, if network segments are divided into departments such as sales and developments, registering these as group names will enhance the readability of detection logs and reports.

Content to Configure:

  1. Register the network zone as "Trusted":

    Networks that include machines capable of executing privileged commands or actions, such as management and monitoring systems, should be registered as "Trusted." DDI will identify the configured network as an "Internal Network."

  2. Register the network zone as "Untrusted":

    Networks that are not fully secured, such as those belonging to general intranet machines, should be registered as "Untrusted." DDI will identify the configured network as an "Internal Network."

  3. Not registering the network:

    DDI will identify unregistered networks as "External Networks."

Effects of Configuration:

  • The readability of DDI detection logs and reports is improved for users.
  • The direction of communication (internal to external, external to internal) is clarified.
 
As described above, the "Trusted" network zone of network groups indicates a safe network, while the "Untrusted" network zone indicates a network with some security concerns. However, DDI's detection capabilities have evolved, and it can now identify these network zones collectively as "Internal Networks." If network groups are not configured, items that do not fall under network groups will be displayed as "Not defined."

 

Registered Domains

By configuring registered domains, false positives can be suppressed.

Content to Configure:
Register the email domains used within the organization or domains considered trustworthy.

Effects of Configuration:

  • False positives can be suppressed.

    Registered domains are treated as trusted, so communications related to these domains are excluded from detection rules such as [Rule ID 29: Unregistered sender and recipient domains - Email].

  • The types of detection events and the determination of [Interested IP (Interested Host)] become more accurate.

    *[Interested IP (Interested Host)] refers to the IP addresses identified by DDI as subjects for investigation based on detection results.

 

Registered Services

By configuring registered services, DDI can determine trusted servers and services, thereby suppressing false positives. Additionally, this improves the readability of DDI detection logs and reports for users.

Content to Configure:
Register service-providing servers that exist within the range defined as internal networks in the network group settings. The services listed in the Administrator's Guide under [Adding Registered Services] section are eligible for registration.

Effects of Configuration:

  • False positives are suppressed.

    Registered servers are treated as trusted, so communications related to these servers are excluded from detection rules such as [Rule 28 - Unregistered service running on non-standard port], [Rule ID 40: Unregistered service], and [Rule 52 - Unregistered mail server - Email].

  • The types of detection events and the determination of [Interested IP (Interested Host)] become more accurate.

    *[Interested IP (Interested Host)] refers to the IP addresses identified by DDI as subjects for investigation based on detection results.

Keywords: Configuring Network Groups and Assets in Deep Discovery Inspector, how to configure network groups and assets in DDI, Setting up Registered Domains in DDI, Managing Registered Services in Deep Discovery Inspector, Step-by-step DDI network and assets menu configuration