Deep Discovery Inspector uses IP-address list/range defined in the Monitored Network Group to determine whether attacks originate from inside or outside the network, and that information might also impact severity of detections, identification of affected hosts and trigger criteria of certain rules if the monitored network is not defined or properly set.
To help Deep Discovery Inspector determine where the malicious traffics are coming from and help the administrator identify events in the detection logs easier, Trend Micro recommends the following:
- Configure the IP addresses to establish groups of monitored networks and assign descriptive network group names for easy identification of which network an IP address belong to.
The following image shows a malware download sample of a detection log when monitored network groups are defined. According to the Network Group information, it was observed that the file landed into a machine within Threat Lab network sub-group which is under the Default network group profile.
Malware download sample of a detection log
In the Administration > Network Groups and Assets section of the DDI web console, all monitored Network Groups are listed including their subgroups.
DDI provides a “Default” network group containing the IP address blocks reserved by the Internet Assigned Numbers Authority (IANA) for private networks. The following image shows the IP ranges which are defined inside a “Default” network group.
IP Address Range list
To configure or customize the setting of the monitored Network Groups, administrators can add new subgroups (up to three layers of subgroups.) based on the “Default” network group profile or to create new network groups and specify IP address ranges, do the following:.
Go to Administration > Network Groups and Assets > Network Groups.
Click Add. The Network Groups window appears.
- Type a group name (e.g. "Finance network", "IT network", or "Administration").
Use a dash character to assign an IPv4/IPv6 IP address range or to specify the subnet mask/prefix for IP addresses (up to 1,000 IP address ranges).
- Select the Network zone, ”Trusted” indicates a secure network and ”Untrusted” indicates a degree of doubt about the security of the network.
- Click Add.
- Click Save.