cancel
Showing results for 
Search instead for 
Did you mean: 
kenn1
Level 7

How Do I pull Out Data For a Particular Country in ESM

How Do I pull Out Data For a Particular Country in ESM

0 Kudos
11 Replies
McAfee Employee

Re: How Do I pull Out Data For a Particular Country in ESM

How would you define the data as it relates to a particular county? For instance, would you filter for a geolocation or is there some identifier in the data itself? Thanks.

0 Kudos
kenn1
Level 7

Re: How Do I pull Out Data For a Particular Country in ESM

I want to generate a few Nitro reports/graphs or me regarding
traffic attempts to / from a specific  over the last 30 days.

Views (bar or line charts) I would like to see, if they can
be generated,  are as follows:

  • Inbound attempts
    • Deny
      vs. Allowed
    • Deny
      by protocol
    • Allowed
      by protocol
    • Average
      attempts per day in aggregate
  • Outbound attempts
    • Deny
      vs. Allowed
    • Deny
      by protocol
    • Allowed
      by protocol
    • Average
      attempts per day in aggregate
  • Inbound payload
    • Total
      bytes returned to countrys address for inbound attempts per day
    • Total
      bytes returned to counrtys address by protocol for inbound attempts per day
    • Average
      bytes per connection attempt (deny vs. allowed) per day

Outbound payload

  • Total
    bytes sent to country for outbound attempts per day
  • Total
    bytes sent to country by protocol for outbound attempts per day
  • Average
    bytes per connection attempt (deny vs. allowed) per day
0 Kudos
rth67
Level 12

Re: How Do I pull Out Data For a Particular Country in ESM

Use the Source / Destination Geo Location information using the "ASN Geo Source ID" or "ASN Geo Dest Source ID"

You can also define Zones and assign the appropriate ASN Geo information for your internal subnets (if using RFC1918 non-routable IP ranges like 10.x.x.x, 172.16.x.x, or 192.168.x.x) - that way you can report on traffic sourced from your officea in Dallas, Chicago, NY, LA, UK, etc...

0 Kudos
kenn1
Level 7

Re: How Do I pull Out Data For a Particular Country in ESM

                        

"Use the Source / Destination Geo Location information using the "ASN Geo Source ID" or "ASN Geo Dest Source ID""

Yes but I want it for a specific country and all inclusive for that country.  Right now it looks like it the codes are unique to the cities.

0 Kudos
McAfee Employee

Re: How Do I pull Out Data For a Particular Country in ESM

kenn1 wrote:

How Do I pull Out Data For a Particular Country in ESM

You don't have to drill down to the city. When you reach the country you want, just click OK. Geolocation IDs work like subnets. In this screenshot I'm filtering just on events from China. Note the ID: 1170957893348884480/22.

geodrill.PNG

The part of the report that is a challenge is calculating a daily average of something over a 30-day period. The tool compares 5 increments of like time frames by default. If you're looking at a month's worth of data it's going to show you that data compared to the previous 5 months and display that as an average.

kenn1
Level 7

Re: How Do I pull Out Data For a Particular Country in ESM

So that ASN/GEO Source ID will give me all the China traffic and just China?

0 Kudos
McAfee Employee

Re: How Do I pull Out Data For a Particular Country in ESM

So that ASN/GEO Source ID will give me all the China traffic and just China?

Correct. Using the Filter you can select any continent, country or city.

geodrill2.PNG

0 Kudos
kenn1
Level 7

Re: How Do I pull Out Data For a Particular Country in ESM

Any idea how to generate those reports or if canned reports for that type of activity appears anywhere? Do we need to have "flows" set up to track bytes in and out?

0 Kudos
kenn1
Level 7

Re: How Do I pull Out Data For a Particular Country in ESM

"The tool compares 5 increments of like time frames by default."

How do I do this or activate this?  Thanks

0 Kudos