Skip to main content

Getting Started with Illumio Insights

Risky Services Traffic

The Risky Services Traffic dashboard helps you identify network traffic associated with services commonly exploited by attackers. It provides visibility into potentially risky connections, enabling you to investigate, assess, and prioritize actions to reduce exposure to lateral movement threats.

Selecting any protocol from the “Risky Services Traffic” widget also updates all other widgets on the page to show data related to that protocol. From there, you can review specific types of workloads that participated in this traffic, review activity patterns, see zone and account traversal, and more.

View the traffic patterns that Illumio categorizes as risky. Use these insights to investigate any Risky Services Traffic you see, such as sensitive information going to an unknown destination.

  • Risky Services Traffic

    Use these insights to view details about your services and evaluate potentially Risky Services Traffic. For example, assume you are concerned about a specific threat actor moving laterally using Port 3389 (RDP). You can search port connections to determine the level of risk. Services are color coded; red indicates high risk and orange indicates medium risk.

  • Top Destination Roles using a Service

    Use these insights to determine what types of machine learning auto-detected roles your workloads are sending traffic to using specific services, like Port 3389 (RDP). View the mix of roles receiving heavy Port 3389 (RDP) usage to determine whether you should investigate if an unknown role is receiving sensitive information.

  • Top Workloads using a service and port combination

    Use these insights to learn about Risky Services Traffic for the top workloads. Hover over a graph line to see its details and click on a graph line to update the Traffic Query Results table. Click an entry (or its checkbox) in the legend to remove or restore it in the graph.

  • Traffic by Zones for a service and port combination

    Use these insights to get information about cross-zones traffic patterns. Dig deeper into port (RDP) traffic, for example. You’ll notice any workloads using an outsized number of such connections.

  • Traffic Query Results

    Filter traffic results by source IP, source zone, port, protocol, and much more. For example, filter the Source Zone column to see all of your Azure sources in one place.

Switching between flows and bytes may change your displayed results. For example, if a resource with denied traffic has a large number of flows but zero bytes, switching the displayed results from flows to bytes removes the resource from a Top 10 list due to the low byte count, replacing it with another resource that has a higher byte count.

View flow, IP, and resource details using slide-outs

Slide-outs provide additional information about specific flows, IP addresses, and resources. Click each to launch a slide-out and view additional details.