Verification and Check

Verification

After the AIE profile is configured, run the display profile type aie command to view the configuration of the current AIE profile.

<sysname> display profile type aie
==============================================================================
AI-Engine Profile Configurations:
==============================================================================
Total Profiles: 1
------------------------------------------------------------------------------
    Profile Name                       : profile1
    Description                        : 
    Referenced                         : 1
    
------------------------------------------------------------------------------
    Detection Module                   Status
    cc                                 enabled
    dga                                disabled
    eca                                enabled
    bruteforce                         disabled
    sql                                disabled
------------------------------------------------------------------------------

After the AIE is configured, run the display aie state command to view the running status of the AIE.

<sysname> display aie state
==============================================================================
AI-Engine Running State on slot 11 cpu 0:
==============================================================================
Module               Status     Memory Used (kB)   CPU Usage
Framework            running    4984               0.00%
Redis-Server         running    3724               0.16%
adapt                running    7412               0.22%
bruteforce           stopped    0                  0.00%
cc                   running    7776               0.15%
dga                  stopped    0                  0.00%
eca                  running    31832              1.00%
sql                  stopped    0                  0.00%
------------------------------------------------------------------------------

Optional: If the AIE whitelists are configured, run the display aie whitelist command to view the configuration of the AIE whitelists.

<sysname> display aie whitelist 
==============================================================================
 AI-engine Whitelist Items on slot 11 cpu 0:
==============================================================================
------------------------------------------------------------------------------
     bruteforce Module Whitelist Items:
------------------------------------------------------------------------------
     Empty
------------------------------------------------------------------------------
------------------------------------------------------------------------------
     cc Module Whitelist Items:
------------------------------------------------------------------------------
     Type     Value                                                Hit Count
     ip       10.1.1.1                                             1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
     dga Module Whitelist Items:
------------------------------------------------------------------------------
     Type            Value                                         Hit Count
     dns             example.com                                   0
------------------------------------------------------------------------------
------------------------------------------------------------------------------
     eca Module Whitelist Items:
------------------------------------------------------------------------------
     Empty
------------------------------------------------------------------------------
------------------------------------------------------------------------------
     sql Module Whitelist Items:
------------------------------------------------------------------------------
     Empty
------------------------------------------------------------------------------

Viewing Logs

After the AIE profile is referenced in a security policy, the FW performs threat detection on traffic that matches the security policy. If a threat or attack is detected, a log is generated.

The following provides log information about the detected malicious encrypted C&C flow threat.

AIE/4/EVENT(l)[2]: The AI-Engine found an attack. (Vsys=public, Policy=test, StartTime=xxxx/xx/xx xx:xx:xx, EndTime=xxxx/xx/xx xx:xx:xx, 
SrcIP=10.1.1.1, DstIp=1.1.1.1, SrcPort=499255, DstPort=443, SrcZone=untrust, DstZone=trust, User=USER, Protocol=TCP, 
Application=SSL,Profile=aie_all, ThreatName=Malicious Encrypted C&C Communication, ThreatLevel=high, AttackerIP=10.2.1.15, VictimIP=10.2.26.101,
EventID=1d115ea31f2c001000000000, EventNum=1, Action=Alert, Extend=
(ServerName=pecohemlitt.com;CertificateHash=525d2ef8dff4e72119cecb764748285c53f21327;).)

The following table lists the fields in a log.

Parameter Name	Parameter Meaning
vsys-name	Virtual system name.
policy-name	Security policy name.
start-time	Time when the event starts.
end-time	Time when the event ends.
source-ip-address	Source IP address of a packet.
destination-ip-address	Destination IP address of a packet.
source-port	Source port of a packet.
destination-port	Destination port of a packet.
source-zone	Source security zone of a packet.
destination-zone	Destination security zone of a packet.
user-name	User name.
protocol	Protocol name of a packet.
application-name	Application type of a packet.
profile-name	Profile name.
threat-name	Threat type. The options are as follows: DGA Domain Request Malicious C&C Flow Malicious Encrypted C&C Communication Brute-Force Cracking SQL Injection
threat-level	Threat level. The value is invariably high.
attacker-ip-address	IP address of an attacker.
viciml-ip-address	IP address of a victim.
event-id	Event ID.
event-num	Number of attacks.
action	Action in response to an event. The value is invariably Alert.
extend-string	Extension information.