Threat Activity Monitoring
You can monitor threat activities in Trace Explorer.
Application Performance Monitoring (APM) monitors activities executed by threats as identified through integration with the Oracle Threat Intelligence service. It provides visibility to threats using the IP address from the traces and spans collected based on the information from Threat Intelligence, a service from Oracle Cloud Infrastructure (OCI). APM is integrated with Threat Intelligence to automatically receive threat information if the IP address value associated with the span has been identified as a threat indicator. Threat Intelligence aggregates threat intelligence data across many different sources and provides guidance for threat detection and prevention. For information, see Threat Intelligence.
ClientIpThreatConfidence:
Overall confidence of the threat(s) from one threat indicator (IP address).ClientIpThreatType:
Threat type. For a complete list, see Threat Indicator Database Threat Types from Threat Intelligence.
If the IP address is not identified as a potential threat, the above span attributes are not present.
View and Explore Threat Activities
Use the Threat Activity Monitoring dashboard to view threat activities and their impact on the application. Trace Explorer enables you to explore spans for detection of potential threats.
Run the following query in Trace Explorer to check for potential threats:
SHOW (SPANS)
count(*) as Count,
ClientIpThreatType, ClientIpThreatConfidence
WHERE (ClientIpThreatConfidence is not omitted)
GROUP BY ClientIpThreatType, ClientIpThreatConfidence
ClientIpThreatType
and ClientIpThreatConfidence
.
Additional Query Examples:
-
The following query shows potential threats and their maximum threat score using the geomap view:
SHOW (TRACES) geoCountryCode, count(*) as "Traces", sum(ErrorCount) as "Errors", sum(PageViews) as "Page Views", sum(ConnectTime) as "Total connect time", max(ClientIpThreatConfidence) as “Threat Confidence” WHERE ClientIpThreatType is not omitted and geoCountryCode is not omitted GROUP BY geoCountryCode
-
The following query shows suspicious IP addresses, their geographical location (city and country), threat type and threat confidence:
SHOW TRACES case when ClientIpThreatType is omitted then ‘No Threat IP’ else ClientIp end as “IP Address”, ClientIpThreatType as “Threat Type”, percent_of_items() as “% of activity”, count(*) as Count, max(GeoCountry) as Country, max(GeoCity) as City, max(ClientIpThreatConfidence) as “Threat Confidence” GROUP BY case when ClientIpThreatType is omitted then ‘No Threat IP’ else ClientIp end, ClientIpThreatType ORDER BY percent_of_items() desc timeseries for count(*)
Check Spans Details
Span details show all the attributes of an individual span. For potential threats, review the value of the following attributes: ClientIpThreatType
and ClientIpThreatConfidence
.
Both attributes are populated in spans in which the ClientIp was identified as a threat.
Span details list the threat type with the highest score. For a complete list of all the different threat types and scores for that specific IP address, check Logs from Span details.
To get more information about the detected threat indicator (suspicious IP address), potential implications and recommendations, see Threat Intelligence service.