Warehouse Analytics: Analyze a Suspicious DNS Activity Report

Document created by RSA Information Design and Development on Jun 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes the Suspicious DNS Activity report. The following figure shows the Suspicious DNS Activity report listing all the suspicious domains and the risk score for each.

The following figure shows the different panels in this view.

WA_SuspiciousDNSActivity_report1.png

Context

The Suspicious DNS Activity report has the following panels:

  • Domain Heading
  • Domain Fields
  • Domain Histograms

Domain Heading Panel

The Domain Heading panel allows you to view the risk score, domain name (example, bitminter.com), the time the report is generated, along with the start and end date when the report is executed.

Note: If the risk score is greater than or equal to 50, the color coding is red, else is green.

WA_SuspiciousDNSActivity_header.png

Domain Fields Panel

The Domain Fields panel displays the following fields from the Mongo DB database.

domain_fields_panel.png

Note: All the fields populated in the Domain Fields panel, have values displayed based on run time.

                                                     
FieldDescription
Security Analytics AlertsThe number of Security Analytics alerts per response.
IP RepetitionThe number of distinct pairs for the IP and date divided by the overall number of IPs in the domain.
Raw ScoreThe raw score.
Number of ResponsesThe number of DNS responses (with the requests ignored).
Median Root on IPThe median of the number of distinct roots per returned IP.
ASN RepetitionThe percentage of ASNs that is seen daily from the total IPs seen on the domain.
Number of IPsThe overall number of IPs.
Median ASNs per Resp.The Median of number of ASNs per response.
Total ASNsThe overall number of ASNs.
IP User MedianThe Median of internal IPs over domain IPs.
Number of Internal IPsThe number of source IP addresses from which the domain was addressed.

Domain Histograms Panel

The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious ASNs or countries in dark blue color.

Vertical Histogram

domain_histograms_panel.png

View a Suspicious DNS Activity Report

To view a Suspicious DNS Activity report:

  1. In the Security Analytics menu, click Reports.

    The Manage tab is displayed.

  2. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.

    Deploy_screen.png

  3. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time is displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  4. Double-click on an execution based on the Suspicious DNS Activity. 
    The Suspicious DNS Activity report for the domain is displayed.

Next steps 

Perform the following task: Click the Investigate button to review the Suspicious DNS Activity.

You are here
Table of Contents > Required Procedures > Step 4. Analyze a Warehouse Analytics Report > Analyze a Suspicious DNS Activity Report

Attachments

    Outcomes