Warehouse Analytics: Analyze a Suspicious Domains Report

Document created by RSA Information Design and Development on Jun 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes the Suspicious Domain report. The following figure shows the Suspicious Domains report that lists all the potential suspicious domains and the risk score for each.

The following figure shows the different panels in this view.

WA_SuspiciousDomains2.png

The Suspicious Domains report has the following panels:

  1. Domain Heading
  2. Domain Fields
  3. Domain Histograms
  4. Domain Lists

Domain Heading Panel

The Domain Heading panel allows you to view the risk score, domain name (example, hmc.edu), time the report is generated, along with the start and end date when the report is executed.

Note: If the risk score is greater than or equal to 50, the color coding is red else the color coding is green.

WA_SuspiciousDomainsHeaderPanel.png

Domain Fields Panel

The Domain Fields panel displays the following fields from the Mongo DB database.

Note: The values for the fields are based on the selected suspicious domain. All the fields are populated with values at run time.

WA_SuspiciousDomains_Params.png

Domain Histograms Panel

The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious sub domains or internal IP addresses in dark blue color.

Vertical Histogram

domain_histograms_panel.png

Domain List Panel

The Domain List panel lists the number of server Autonomous System Number (ASN) and top content types.

WA_SuspiciousDomains_List.png

View the Suspicious Domains Report

Perform the following steps to view the suspicious domains report:

  1. In the Security Analytics menu, click Reports.

    The Manage tab is displayed.

  2. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.

    Deploy_screen.png

  3. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time are displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  4. Double-click on an execution based on the Suspicious Domain.

    The Suspicious Domains report is displayed.

Next steps 

Perform the following task: Click the Navigate button to investigate a suspicious domain.

You are here
Table of Contents > Required Procedures > Step 4. Analyze a Warehouse Analytics Report > Analyze a Suspicious Domains Report

Attachments

    Outcomes