Warehouse Analytics: Analyze a Host Profile Report

Document created by RSA Information Design and Development on Mar 21, 2017
Version 1Show Document
  • View in full screen mode

This topic describes the Host Profile report. The following figure shows the Host Profile report, listing all the suspicious hosts.


The following figure shows the different panels of this view.


The Host Profile Report has the following panels:

  • Activity Heading
  • Activity Fields
  • Activity Histograms
  • Activity Heat Maps
  • Activity List

Activity Heading Panel

On the Activity Heading panel allows you can view the activity name, IP address, the time the report was generated, along with the start and end date.


Note: The Host Profile report does not display a score in the Activity heading panel.

Activity Fields Panel

The Activity Fields panel displays the following fields from the Mongo DB database.


Least Busiest HourThe hour with the lower number of requests.
Busiest HourThe hour with the highest number of requests.
Longest No-traffic Period (hours)The longest break without any traffic for this IP. 
Total BandwidthThe total bandwidth consumed for sending and receiving.
Domain TotalThe total number of domains accessed by this IP.
Average BandwidthThe average bandwidth to send or receive per session.
External IPsThe number of external IPs accessed.
Rare User-AgentsThe number of rare User-Agent strings seen from this IP.

Activity Histograms Panel

The Activity Histograms panel displays the Session Size Histogram. This is a vertical histogram which depicts the host activity in blue color.

There are two types of histograms:

  • Vertical Histogram: The data is depicted in the form of a vertical histogram in case of an Hours or Session Size Histogram.
  • Horizontal Histogram: The data is depicted in the form of an horizontal histogram in case of Domains Histogram.

Vertical Histogram


Horizontal Histogram


Activity Heat Maps Panel

The Activity Heat Maps panel displays the HTTPS Requests Overview heat map. The heat map is plotted based on days (X-axis) and hours (Y-axis). The count of the activities is computed based on the average of several activities. The color codes displayed for the activities vary as it is dynamic. The heat map is displayed from the start date of the report which is displayed above the Heading panel. For example, on a particular day on the 23rd hour if the activity is high then the dark blue color code is displayed on the heat map.

Note: The high rate of activities during a particular period is not indicative of suspicious activity on the host. The color codes only depict the rate of activities during any period.


Activity List Panel

The Activity List panel is displayed based on the percentage of traffic on the field it accessed. For example, Daily User Agent Settings and Countries.

View a Host Profile Report

To view a host profile report:

  1. In the Security Analytics menu, click Reports.

    The Manage tab is displayed.

  2. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.


  3. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time are displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  4. Double-click on an execution based on the Host Profile model. 
    The Host Profile report is displayed.

Next stepsNext Steps

You can investigate a host profile report.

You are here
Table of Contents > Required Procedures > Step 4. Analyze a Warehouse Analytics Report > Analyze a Host Profile Report