You could start with the SANS Top Threats, read the Internet Storm Center for current port trends and attacks, create watch list and have it auto-import and run some alerts or reports based off that. Also, do some correlatio between Virus incidents and illicit browsing or proxy connections, thats always a fun one. Many items you could start with. Do you have any specific topics or target areas?
Another thing to consider is to use enVision's Taxonomy to start to look for suspicious activity.
Start by looking for things that belong to the Attacks and Recon categories - based on what you see going on in your network, you can refine some of the results from there.
I am working on a whitepaper for specifically this topic. At a high level, the use case will be detecting malware in successive stages. The first stage is using your perimeter devices such as routers to only forward packets to your known good subnets. An example would be if you had subnets 10.10.1.0 - 10.10.10.0/24. If you only have enough hosts to use the first 5 subnets, the remaining 5 subnets could be considered "dark" subnets. The logical implication is that any traffic destined to those subnets would constitute either misconfigured traffic or malicious traffic, a.k.a. malware. Does that make sense?
You will configure envision to monitor your router for ACL denies that occur when that policy is violated, and begin your process of forensic analysis there. A deeper inspection can occur as you combine monitoring those events with additional events from your IDS/IPS for specific exploits going to that "dark" space, which will further refine your results and separate simple misconfigurations from actual threats.
I will be posting more on this soon. Please let me know if this approach makes sense to you and if you have any questions about the specifics.
Hello,Yes, this is interesting for me because we hae different DMZ level and I can use these specific there, if you have more details around this subject I will appreciate that if you send it to me.
Most the document i found related to envision are general,
Do you have any information related to best practices with envision, and what we are able to do with it at high level?