Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

threat-hunting-dns-card.jpg

Purpose

This Activeboard allows you identify and investigate potential threats by analyzing patterns in DNS (Domain Name System) queries and responses.

With this Activeboard it is possible to:

  • Detect anomalies.

  • Correlate data with threat intelligence.

  • Identify malicious activities.

 Included widgets

Core Metrics and Summaries

Top queried domains: Table widget

Query Types Distribution: Voronoi diagram widget

Flags distribution: Donut chart widget

Geolocation of clients: Markers map widget

Behavior Insights

Unusual DNS tunnel detection: Pie chart widget

Unusual subdomain amount: Table widget

Threat Intelligence Integration

Known malicious activity: Voronoi diagram widget

Dynamic domains: Dependency wheel widget

OOTB alerts DNS-Related: Table widget

Investigation & Correlation

Domain features risk score: Simple value widget

Prerequisites

To use this Activeboard, you must have the following data sources available on your domain:

  • UmbrellaTop1M

  • mispIndicator

  • CollectiveDefense

  • DynamicDNS

Open Activeboard

Once you have installed the Activeboard, you can use the Open button at the top right of the card in Exchange to access it and see the different widgets populated with the relevant data. You can also access the Activeboard area via the Navigation pane.

Data loading takes too long?

Sometimes some widgets take time to upload the data, it is possible to speed up the process by creating aggregation tasks. Refer to the Aggregation tasks article to learn how to do it.

Use Activeboard

After installing and opening the Activeboard, you can use its widgets to visualize and monitor data. To do this, each widget offers a variety of customization and visualization options. Refer to Using widgets and Using inputs to know them all.

  • No labels