3.2.3.4.4.3. SMB Connections

The SMB (Server Message Block) Connection dashboard display various metrics and insights related to the prevention of lateral movement through SMB and prevention of data access control rule bypassing.

The view displays the following dashboards:

../../../../../_images/smb_connections.png

  • Total SMB connections: Metric showing the total number of SMB connections.

  • Total SMB clients: Metric showing the total unique clients on SMB connections.

  • Total SMB servers: Metric showing the total unique servers on SMB connections.

  • Total SMB connections time evolution: Histogram showing the time evolution of the SMB connections.

  • Kerberos and NTLM authentications distribution: Tree map showing Kerberos and NTLM authentications, differentiating between successful and failed authentications.

  • Types of SMB clients: Tree map showing the distribution of the different types of SMB clients.

  • Total SMB clients time evolution: Histogram showing the time evolution of the total unique SMB clients.

../../../../../_images/smb_connections2.png

  • Action performed on SMB connections: Tree map showing SMB actions: open file, rename file, close file, open print job and close print job.

  • SMB versions distribution: Tree map showing the distribution of the different SMB versions (1.0, 2.0,2.1, 3.0, 3.0.2, and 3.1.1).

  • SMB administrator privileges connections: Tree map showing the distribution of SMB connections to C$, Admin$, IPC$, Printer, or Fax.

  • Top 10 SMB files name: Bar chart showing the top 10 SMB file names within the total number of SMB connections. The bar stacks are segmented by the SMB action: open file, rename, close file, open print job and close print job.

../../../../../_images/smb_connections3.png

  • Top SMB 10 clients: Bar chart showing the top 10 SMB clients by the total number of SMB connections. Each bar indicates the SMB connections for a specific client IP address and is segmented by the SMB actions: open file, rename, close file, open print job and close print job.

  • Top 10 SMB servers: Bar chart showing the top 10 SMB servers by the total number of SMB connections. Each bar indicates the SMB connections for a specific client IP address and is segmented by the SMB actions: open file, rename, close file, open print job and close print job.

  • SMB connections flow: Sankey diagram showing the flow of SMB connections between source and destination IP addresses. Each line represents the number of connections from a specific source IP on the right. Different colors indicate the various connections paths.

../../../../../_images/smb_connections4.png

  • SMB connections details: Table showing the following information of SMB connections: dates, device info (MAC, IP, type), user, switch details (IP, port), and building and network names.