[IAG] Audit found the traffic of QQ receiving files, but no behavior records were found
Problem Description
A single user query in the log center shows that a certain user received file traffic via QQ at around 10 a.m. on June 19, but the behavior log records do not show that the user received files via QQ.
Process——
- When checking the log center, it was found that when a single user queried the user's traffic, it was found that the traffic of QQ receiving files accounted for a large part, but no corresponding behavior was found in the behavior log records of the log center.
- Check the audit policy associated with the user. Traffic and Internet duration statistics and application audit are checked. However, other network application audit is not checked in application audit. Just check other application network application behavior audit.
229905b38834ecea93.png (53.05 KB)
226095b388367b5d37.png (57.52 KB)
Root cause
In application auditing, in addition to the application audits that are clearly listed, those that are not clearly listed but defined in the IAG rule base belong to other network behaviors, including all other applications such as QQ and DingTalk. The unidentified network applications below are application behaviors that are not defined in the IAG rule base.
solution
Audit policy check other network application behavior solutions
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=5946&isOpen=true