This topic describes the Suspicious DNS Activity report. The following figure shows the Suspicious DNS Activity report listing all the suspicious domains and the risk score for each.
The following figure shows the different panels in this view.
The Suspicious DNS Activity report has the following panels:
- Domain Heading
- Domain Fields
- Domain Histograms
Domain Heading Panel
The Domain Heading panel allows you to view the risk score, domain name (example, bitminter.com), the time the report is generated, along with the start and end date when the report is executed.
Note: If the risk score is greater than or equal to 50, the color coding is red, else is green.
Domain Fields Panel
The Domain Fields panel displays the following fields from the Mongo DB database.
Note: All the fields populated in the Domain Fields panel, have values displayed based on run time.
|Security Analytics Alerts||The number of Security Analytics alerts per response.|
|IP Repetition||The number of distinct pairs for the IP and date divided by the overall number of IPs in the domain.|
|Raw Score||The raw score.|
|Number of Responses||The number of DNS responses (with the requests ignored).|
|Median Root on IP||The median of the number of distinct roots per returned IP.|
|ASN Repetition||The percentage of ASNs that is seen daily from the total IPs seen on the domain.|
|Number of IPs||The overall number of IPs.|
|Median ASNs per Resp.||The Median of number of ASNs per response.|
|Total ASNs||The overall number of ASNs.|
|IP User Median||The Median of internal IPs over domain IPs.|
|Number of Internal IPs||The number of source IP addresses from which the domain was addressed.|
Domain Histograms Panel
The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious ASNs or countries in dark blue color.
This is a sample Vertical Histogram screen:
View a Suspicious DNS Activity Report
Perform the following steps to view a Suspicious DNS Activity report:
In the Security Analytics menu, click Reports.
The Manage tab is displayed.
Click Warehouse Analytics.
The Warehouse Analytics view is displayed, as shown below.
In the Warehouse Analytics toolbar, click View All Jobs.
A list of jobs along with their schedule name and time is displayed on the View tab.
Note: If no list is displayed, select a date from the calendar to view a list of jobs.
Double-click on an execution based on the Suspicious DNS Activity.
The Suspicious DNS Activity report for the domain is displayed.
Perform the following task: click the Investigate button to review the Suspicious DNS Activity.