Warehouse Analytics: Step 4. Analyze a Warehouse Analytics Report

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Apr 2, 2018
Version 6Show Document
  • Comment0
  • View in full screen mode
 

Note: Warehouse Analytics is not supported in Netwitness Suite 11.0 or later.

Warehouse Analytics reports provide analysts insights on the early indicators of compromise. Analysts can view the report, analyze the IOCs and investigate further. For more information, see the Reports Generated Using Warehouse Analytics Models section in How Warehouse Analytics Works and View All Jobs Panel.

View and Analyze Suspicious Domains Reports

The following figure shows the Suspicious Domains report that lists all the potential suspicious domains and the risk score for each.

Suspicious Domain Report

The following figure shows the different panels in this view.

Different panels in Suspicious Domain View

The Suspicious Domains report has the following panels:

  • Domain Heading
  • Domain Fields
  • Domain Histograms
  • Domain Lists

Domain Heading Panel

The Domain Heading panel allows you to view the risk score, domain name (example, hmc.edu), time the report is generated, along with the start and end date when the report is executed.

Note: If the risk score is greater than or equal to 50, the color coding is red else the color coding is green.

Domain Heading Panel

Domain Fields Panel

The Domain Fields panel displays the following fields from the Mongo DB database.

Note: The values for the fields are based on the selected suspicious domain. All the fields are populated with values at run time.

Domain Fields Panel

Domain Histograms Panel

The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious sub domains or internal IP addresses in dark blue color.

Vertical Histogram

Domain Histograms Panel

Domain List Panel

The Domain List panel lists the number of server Autonomous System Number (ASN) and top content types.

Domain List Panel

View Suspicious Domains Reports

  1. In the main menu, click Reports.

    The Manage tab is displayed.

  2. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.

    Warehousre Analytics View in Reports

  3. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time are displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  4. Double-click on an execution based on the Suspicious Domain.

    The Suspicious Domains report is displayed.

View and Analyze Suspicious DNS Activity Reports

The following figure shows the Suspicious DNS Activity report listing all the suspicious domains and the risk score for each.

Suspicious DNS Activity report

The following figure shows the different panels in this view.

Different Panels in Suspicious DNS Activity report

The Suspicious DNS Activity report has the following panels:

  • Domain Heading
  • Domain Fields
  • Domain Histograms

Domain Heading Panel

The Domain Heading panel allows you to view the risk score, domain name (example, bitminter.com), the time the report is generated, along with the start and end date when the report is executed.

Note: If the risk score is greater than or equal to 50, the color coding is red, else is green.

Domain Heading Panel

Domain Fields Panel

The Domain Fields panel displays the following fields from the Mongo DB database.

Domain Fields Panel

Note: All the fields populated in the Domain Fields panel, have values displayed based on run time.

                                                     
FieldDescription
NetWitness Suite AlertsDisplays the number of NetWitness Suite alerts per response.
IP RepetitionDisplays the number of distinct pairs for the IP and date divided by the overall number of IPs in the domain.
Raw ScoreDisplays the raw score.
Number of ResponsesDisplays the number of DNS responses (with the requests ignored).
Median Root on IPDisplays the median of the number of distinct roots per returned IP.
ASN RepetitionDisplays the percentage of ASNs that is seen daily from the total IPs seen on the domain.
Number of IPsDisplays the overall number of IPs.
Median ASNs per Resp.Displays the Median of number of ASNs per response.
Total ASNsDisplays the overall number of ASNs.
IP User MedianDisplays the Median of internal IPs over domain IPs.
Number of Internal IPsDisplays the number of source IP addresses from which the domain was addressed.

Domain Histograms Panel

The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious ASNs or countries in dark blue color.

Vertical Histogram

Domain Histograms Panel

View Suspicious DNS Activity Reports

  1. In the main menu, click Reports.

    The Manage tab is displayed.

  2. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.

    Warehousre Analytics View in Reports

  3. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time is displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  4. Double-click on an execution based on the Suspicious DNS Activity. 
    The Suspicious DNS Activity report for the domain is displayed.

View and Analyze Host Profile Reports

The following figure shows the Host Profile Report, listing all the suspicious Hosts.

Host Profile Report

The following figure shows the different panels of this view.

Different Panel in Host Profile Report

The Host Profile Report has the following panels:

  • Activity Heading
  • Activity Fields
  • Activity Histograms
  • Activity Heat Maps
  • Activity List

Activity Heading Panel

On the Activity Heading panel allows you can view the activity name, IP address, the time the report was generated, along with the start and end date.

Activity Heading Panel

Note: The Host Profile report does not display a score in the Activity heading panel.

Activity Fields Panel

The Activity Fields panel displays the following fields from the Mongo DB database.

Activity Fields Panel

                                         
FieldDescription
Least Busiest HourDisplays the hour with the lower number of requests.
Busiest HourDisplays the hour with the highest number of requests.
Longest No-traffic Period (hours)Displays the longest break without any traffic for this IP. 
Total BandwidthDisplays the total bandwidth consumed for sending and receiving.
Domain TotalDisplays the total number of domains accessed by this IP.
Average BandwidthDisplays the average bandwidth to send or receive per session.
External IPsDisplays the number of external IPs accessed.
Rare User-AgentsDisplays the number of rare User-Agent strings seen from this IP.

Activity Histograms Panel

The Activity Histograms panel displays the Session Size Histogram. This is a vertical histogram which depicts the host activity in blue color.

There are two types of histograms:

  • Vertical Histogram: The data is depicted in the form of a vertical histogram in case of an Hours or Session Size Histogram.
  • Horizontal Histogram: The data is depicted in the form of an horizontal histogram in case of Domains Histogram.

Vertical Histogram

Vertical Activity Histograms Panel

Horizontal Histogram

Horizontal Activity Histograms Panel

Activity Heat Maps Panel

The Activity Heat Maps panel displays the HTTPS Requests Overview heat map. The heat map is plotted based on days (X-axis) and hours (Y-axis). The count of the activities is computed based on the average of several activities. The color codes displayed for the activities vary as it is dynamic. The heat map is displayed from the start date of the report which is displayed above the Heading panel. For example, on a particular day on the 23rd hour if the activity is high then the dark blue color code is displayed on the heat map.

Note: The high rate of activities during a particular period is not indicative of suspicious activity on the host. The color codes only depict the rate of activities during any period.

Activity Heat Maps Panel

Activity List Panel

The Activity List panel is displayed based on the percentage of traffic on the field it accessed. For example, Daily User Agent Settings and Countries.

Activity List Panel

View Host Profile Reports

  2. In the main menu, click Reports.

    The Manage tab is displayed.

  3. Click Warehouse Analytics.

    The Warehouse Analytics view is displayed.

    Warehousre Analytics View in Reports

  4. In the Warehouse Analytics toolbar, click View All Jobs.

    A list of jobs along with their schedule name and time are displayed on the View tab.

    Note: If no list is displayed, select a date from the calendar to view a list of jobs. 

  5. Double-click on an execution based on the Host Profile Model. 
    The Host Profile report is displayed.
    6.  
You are here
Table of Contents > Configure Reports using Warehouse Analytics > Analyze Warehouse Analytics Reports

Attachments

    Outcomes