Threat Activity Monitoring

You can monitor threat activities in Trace Explorer.

Application Performance Monitoring (APM) monitors activities executed by threats as identified through integration with the Oracle Threat Intelligence service. It provides visibility to threats using the IP address from the traces and spans collected based on the information from Threat Intelligence, a service from Oracle Cloud Infrastructure (OCI). APM is integrated with Threat Intelligence to automatically receive threat information if the IP address value associated with the span has been identified as a threat indicator. Threat Intelligence aggregates threat intelligence data across many different sources and provides guidance for threat detection and prevention. For information, see Threat Intelligence.

When a Client IP address reported in a span is identified as a threat indicator (suspicious) by Threat Intelligence, APM receives the threat information and uploads it in the following span attributes:
  • ClientIpThreatConfidence: Overall confidence of the threat(s) from one threat indicator (IP address).
  • ClientIpThreatType: Threat type. For a complete list, see Threat Indicator Database Threat Types from Threat Intelligence.

If the IP address is not identified as a potential threat, the above span attributes are not present.

View and Explore Threat Activities

Use the Threat Activity Monitoring dashboard to view threat activities and their impact on the application. Trace Explorer enables you to explore spans for detection of potential threats.

Run the following query in Trace Explorer to check for potential threats:

SHOW (SPANS)
    count(*) as Count,
    ClientIpThreatType, ClientIpThreatConfidence 
WHERE (ClientIpThreatConfidence is not omitted)
GROUP BY ClientIpThreatType, ClientIpThreatConfidence 
Result: A list of spans with IP addresses as threat indicators in the Threat Intelligence database is displayed with the following columns: ClientIpThreatType and ClientIpThreatConfidence.
To view an individual span, you can click the Actions icon and select Show Span Details.

Additional Query Examples:

  • The following query shows potential threats and their maximum threat score using the geomap view:

    SHOW (TRACES)
       geoCountryCode, count(*) as "Traces",
       sum(ErrorCount) as "Errors", sum(PageViews) as "Page Views",
       sum(ConnectTime) as "Total connect time",
       max(ClientIpThreatConfidence) as “Threat Confidence”
    WHERE ClientIpThreatType is not omitted and geoCountryCode is not omitted
    GROUP BY geoCountryCode
  • The following query shows suspicious IP addresses, their geographical location (city and country), threat type and threat confidence:

    SHOW TRACES case 
     when ClientIpThreatType is omitted 
     then ‘No Threat IP’ 
     else ClientIp end as “IP Address”,
     ClientIpThreatType as “Threat Type”,
     percent_of_items() as “% of activity”, 
     count(*) as Count, 
     max(GeoCountry) as Country,
     max(GeoCity)  as City, 
     max(ClientIpThreatConfidence) as “Threat Confidence” 
    GROUP BY case when ClientIpThreatType is omitted then ‘No Threat IP’ else ClientIp end, ClientIpThreatType
    ORDER BY percent_of_items() desc timeseries for count(*) 

Check Spans Details

Span details show all the attributes of an individual span. For potential threats, review the value of the following attributes: ClientIpThreatType and ClientIpThreatConfidence.

Both attributes are populated in spans in which the ClientIp was identified as a threat.

Note

Span details list the threat type with the highest score. For a complete list of all the different threat types and scores for that specific IP address, check Logs from Span details.

To get more information about the detected threat indicator (suspicious IP address), potential implications and recommendations, see Threat Intelligence service.