Warehouse Analytics: Analyze a Host Profile Report

Document created by RSA Information Design and Development on Jun 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes the Host Profile report. The following figure shows the Host Profile report, listing all the suspicious hosts.

HostProfile-IPsList.png

The following figure shows the different panels of this view.

DS-HostProfileReport-1.png

The Host Profile Report has the following panels:

  • Activity Heading
  • Activity Fields
  • Activity Histograms
  • Activity Heat Maps
  • Activity List

Activity Heading Panel

On the Activity Heading panel allows you can view the activity name, IP address, the time the report was generated, along with the start and end date.

activity_headg_panel.png

Note: The Host Profile report does not display a score in the Activity heading panel.

Activity Fields Panel

The Activity Fields panel displays the following fields from the Mongo DB database.

activity_fields_panel.png

                                         
FieldDescription
Least Busiest HourThe hour with the lower number of requests.
Busiest HourThe hour with the highest number of requests.
Longest No-traffic Period (hours)The longest break without any traffic for this IP. 
Total BandwidthThe total bandwidth consumed for sending and receiving.
Domain TotalThe total number of domains accessed by this IP.
Average BandwidthThe average bandwidth to send or receive per session.
External IPsThe number of external IPs accessed.
Rare User-AgentsThe number of rare User-Agent strings seen from this IP.

Activity Histograms Panel

The Activity Histograms panel displays the Session Size Histogram. This is a vertical histogram which depicts the host activity in blue color.

There are two types of histograms:

  • Vertical Histogram: The data is depicted in the form of a vertical histogram in case of an Hours or Session Size Histogram.
  • Horizontal Histogram: The data is depicted in the form of an horizontal histogram in case of Domains Histogram.

Vertical Histogram

activity_histograms_panel.png

Horizontal Histogram

activity_horizontal_histograms.png

Activity Heat Maps Panel

The Activity Heat Maps panel displays the HTTPS Requests Overview heat map. The heat map is plotted based on days (X-axis) and hours (Y-axis). The count of the activities is computed based on the average of several activities. The color codes displayed for the activities vary as it is dynamic. The heat map is displayed from the start date of the report which is displayed above the Heading panel. For example, on a particular day on the 23rd hour if the activity is high then the dark blue color code is displayed on the heat map.

Note: The high rate of activities during a particular period is not indicative of suspicious activity on the host. The color codes only depict the rate of activities during any period.

activity_heat_maps_panel.png

Activity List Panel

The Activity List panel is displayed based on the percentage of traffic on the field it accessed. For example, Daily User Agent Settings and Countries.

View a Host Profile Report

To view a host profile report:

  1. In the Security Analytics menu, click Reports.

    The Manage tab is displayed.

  2. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.

    Deploy_screen.png

  3. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time are displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  4. Double-click on an execution based on the Host Profile model. 
    The Host Profile report is displayed.

Next stepsNext Steps

You can investigate a host profile report.

You are here
Table of Contents > Required Procedures > Step 4. Analyze a Warehouse Analytics Report > Analyze a Host Profile Report

Attachments

    Outcomes