Note: Warehouse Analytics is not supported in Netwitness Suite 11.0 or later.
Warehouse Analytics reports provide analysts insights on the early indicators of compromise. Analysts can view the report, analyze the IOCs and investigate further. For more information, see the Reports Generated Using Warehouse Analytics Models section in How Warehouse Analytics Works and View All Jobs Panel.
View and Analyze Suspicious Domains Reports
The following figure shows the Suspicious Domains report that lists all the potential suspicious domains and the risk score for each.
The following figure shows the different panels in this view.
The Suspicious Domains report has the following panels:
- Domain Heading
- Domain Fields
- Domain Histograms
- Domain Lists
Domain Heading Panel
The Domain Heading panel allows you to view the risk score, domain name (example, hmc.edu), time the report is generated, along with the start and end date when the report is executed.
Note: If the risk score is greater than or equal to 50, the color coding is red else the color coding is green.
Domain Fields Panel
The Domain Fields panel displays the following fields from the Mongo DB database.
Note: The values for the fields are based on the selected suspicious domain. All the fields are populated with values at run time.
Domain Histograms Panel
The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious sub domains or internal IP addresses in dark blue color.
Vertical Histogram
Domain List Panel
The Domain List panel lists the number of server Autonomous System Number (ASN) and top content types.
View Suspicious Domains Reports
-
In the main menu, click Reports.
The Manage tab is displayed.
-
Click Warehouse Analytics.
The Warehouse Analytics view is displayed.
-
In the Warehouse Analytics toolbar, click View All Jobs.
A list of jobs along with their schedule name and time are displayed on the View tab.
Note: If no list is displayed, select a date from the calendar to view a list of jobs.
-
Double-click on an execution based on the Suspicious Domain.
The Suspicious Domains report is displayed.
View and Analyze Suspicious DNS Activity Reports
The following figure shows the Suspicious DNS Activity report listing all the suspicious domains and the risk score for each.
The following figure shows the different panels in this view.
The Suspicious DNS Activity report has the following panels:
- Domain Heading
- Domain Fields
- Domain Histograms
Domain Heading Panel
The Domain Heading panel allows you to view the risk score, domain name (example, bitminter.com), the time the report is generated, along with the start and end date when the report is executed.
Note: If the risk score is greater than or equal to 50, the color coding is red, else is green.
Domain Fields Panel
The Domain Fields panel displays the following fields from the Mongo DB database.
Note: All the fields populated in the Domain Fields panel, have values displayed based on run time.
Domain Histograms Panel
The Domain Histograms panel displays the Vertical Histogram which depicts the suspicious ASNs or countries in dark blue color.
Vertical Histogram
View Suspicious DNS Activity Reports
-
In the main menu, click Reports.
The Manage tab is displayed.
-
Click Warehouse Analytics.
The Warehouse Analytics view is displayed.
-
In the Warehouse Analytics toolbar, click View All Jobs.
A list of jobs along with their schedule name and time is displayed on the View tab.
Note: If no list is displayed, select a date from the calendar to view a list of jobs.
- Double-click on an execution based on the Suspicious DNS Activity.
The Suspicious DNS Activity report for the domain is displayed.
View and Analyze Host Profile Reports
The following figure shows the Host Profile Report, listing all the suspicious Hosts.
The following figure shows the different panels of this view.
The Host Profile Report has the following panels:
- Activity Heading
- Activity Fields
- Activity Histograms
- Activity Heat Maps
- Activity List
Activity Heading Panel
On the Activity Heading panel allows you can view the activity name, IP address, the time the report was generated, along with the start and end date.
Note: The Host Profile report does not display a score in the Activity heading panel.
Activity Fields Panel
The Activity Fields panel displays the following fields from the Mongo DB database.
Activity Histograms Panel
The Activity Histograms panel displays the Session Size Histogram. This is a vertical histogram which depicts the host activity in blue color.
There are two types of histograms:
- Vertical Histogram: The data is depicted in the form of a vertical histogram in case of an Hours or Session Size Histogram.
- Horizontal Histogram: The data is depicted in the form of an horizontal histogram in case of Domains Histogram.
Vertical Histogram
Horizontal Histogram
Activity Heat Maps Panel
The Activity Heat Maps panel displays the HTTPS Requests Overview heat map. The heat map is plotted based on days (X-axis) and hours (Y-axis). The count of the activities is computed based on the average of several activities. The color codes displayed for the activities vary as it is dynamic. The heat map is displayed from the start date of the report which is displayed above the Heading panel. For example, on a particular day on the 23rd hour if the activity is high then the dark blue color code is displayed on the heat map.
Note: The high rate of activities during a particular period is not indicative of suspicious activity on the host. The color codes only depict the rate of activities during any period.
Activity List Panel
The Activity List panel is displayed based on the percentage of traffic on the field it accessed. For example, Daily User Agent Settings and Countries.
View Host Profile Reports
-
In the main menu, click Reports.
The Manage tab is displayed.
-
Click Warehouse Analytics.
The Warehouse Analytics view is displayed.
-
In the Warehouse Analytics toolbar, click View All Jobs.
A list of jobs along with their schedule name and time are displayed on the View tab.
Note: If no list is displayed, select a date from the calendar to view a list of jobs.
- Double-click on an execution based on the Host Profile Model.
The Host Profile report is displayed.