Services that are blocked or not visited by the user are showing in Audit
Article ID: 261356
Updated On:
Products
Issue/Introduction
In the Audit reports, there are Services that are showing up that are blocked by the proxy or firewall. Or there are services that are not being directly visited by users.
Cause
When visiting some legitimate websites, there can be a redirection to other sites like advertisements. Those redirection sites may be blocked, but will still show up since there is some traffic being directed to the URL, even though a connection is never made.
Some applications that send logs to CloudSOC may not have a field in the log entry that identifies the traffic as redirected.
Resolution
If the logs are uploaded via SpanVA, there is an option in the SpanVA Data Source called "Ignore Indirect Traffic". When this option is checked, entries in logs that can be identified as a redirection of traffic will not be stored in CloudSOC.
Sometimes there are entries for redirected traffic that cannot be explicitly identified as redirected traffic. If that happens, CloudSOC has a feature that allows those entries to be ignored for purposes of reporting and viewing.
In CloudSOC -> Audit -> Services, find the service that you do not want to show up. Click on the arrow at the right hand side under the Actions column. Choose Manage Tags, then check the Ignore tag.
To hide Services that have the Ignore tag set, go to the Service Visibility: Configure drop down and disable the Show services with Ignore option.
Feedback
