Embedded Files
Purpose: Enhance threat detection by accurately modeling the customer's network.
Check the List: Validate IP address ranges for network segments.
Approve or Update: Confirm or correct the External addresses list.
Why Important: Identify and secure vulnerable network areas for proactive defense.
Detailed Guide:
Detailed Guide:
Overview
Overview
Network modeling is a crucial practice for understanding and securing an organization's network. It enhances the SIEM’s capabilities in event correlation, anomaly detection, and incident response, and provides valuable insights for maintaining a robust security infrastructure.
This process includes defining and segmenting various network components, such as IP ranges, devices, subnets, zones, and other elements. By accurately modeling the network, platform managers can create a detailed map that the SIEM uses to understand and interpret network traffic and events.
Pre-Requirements:
Pre-Requirements:
Entity Country name
Entity Network Modeling from Onboarding excel sent to him.
Entity External addresses - verified with the entity
Configuration on ESM
Configuration on ESM
Location
Location
Navigate to “Assets” resource and choose “Location” tab.
/All Locations/Mobula MSSP (Select Customer by double click)
In Inspect/Edit tab:
Set the Country
2. Click Apply
Networks
Networks
In the Assets Resource, navigate to "Networks” tab.
Select the entity - All Networks/Mobula MSSP/$Customer
Validate 2 Networks exists
$Customer
$Customer TL
Zones
Zones
In “Assets” resource choose “Zones” tab.
Validate the sub folder of the main customers folder linked with the “Network” option.
Right click on the sub folder -> “Edit Group”
If this option is not configured, just click on the “Network” drop list and navigate to your customer Network under Mobula MSSP folder.
2. As shown in the first picture there is 3 folders.
Start adding network scopes,
Right-click on the first $Customer sub-folder, select “New Zone”
Customer - Is for all internal segmentations, such as users / wifi / guests / servers / ETC…
Customer EX - Is for external IP addresses of the customer, get the list from this path -
/All Active Lists/Mobula/DeviceType/Firewall/Firewall: External Addresses
And verify the information with the entity.
After verifying the information add it to $Customer EX subfolder.
Customer TL - The Top Level that is supposed to cover all available segmentations in your entity’s network modeling, these zones serve as the foundational layer upon which more detailed sub-zones or segments are built.
Example:
One of my entities have few internal network segmentations such as:
10.20.30.x
10.30.x.x
10.100.x.x
172.16.x.x
172.17.x.x
172.18.x.x
The TL zones should look like that:
10.x.x.x
172.16-18.x.x
3. Validate All 3 Top level Zones linked with “Location” and TL Location
Example:
4. Validate the Folder of the Customer EX linked with the “Network”
Right-click on the Folder -> “Edit Group”
Connector
Connector
Navigate to the “Connectors” resource and to “Network” Tab
Add the Networks by clicking on “Add”
the order is very important
1. Customer
2. Customer TL
3. Local
2. In the “Connectors” tab go to “Default” Tab
a. Check in Zone Population Mode that it set to “Rezone (override)”
b. Click Apply if you made some changes
Page updated
Report abuse