Network analysis page

The Network analysis page provides an interface for investigating campaigns and events, using a graphical representation of entities in your network and access to detailed data records.

At the top of the page is the portal settings widget.

Note:

A sensor or sensor group must be set for the page to be functional. A warning is displayed if no sensor is selected.

The interface is optimized for queries spanning a few days; if the selected time range exceeds three days, a warning is displayed. You can disregard the warning and continue using the interface with a large time range. This can lead to queries for data taking a longer time.

Up to 25 events are returned to all queries and graphical expansions. If you require more detail or want to view more events, navigate to the Network explorer page and utilize the Kibana visualization tool.

Network analysis search tab

The Search tab contains a search bar and the blueprint graph.

The graph can be populated by searching for items in the search bar. Click the plus icon to add the results of the query to the current graph, if any. Click the search icon to replace the current graph with the results of the search. A Discard current graph? pop-up is displayed. Click Yes to confirm.

The following search types are supported:

  • Network data searches Search for network records (passive DNS, webrequest, and flow records):

    • Domain name Search for DNS queries for the given domain name. The format of the query term is the domain name's string; for example example.com.

    • Webrequest Search for a URL in the webrequest and the email data. The query format is simply the URL; for example, http://www.example.com/.

    • IP address Search for an IP address or IP range in the netflow data and event data. The format of the query term is the IP address in dot-decimal notation or an IP address range in CIDR notation; for example, 192.168.1.1 or 192.168.1.0/24.

  • Artifact searches Search for file and email data:

    • Email address Search for the given email address. The format of the query term is simply the email address; for example, dr.evil@hacker.com

    • Email message Search for the given mail message ID. The format of the query term is the email message ID, as reported in the email tab, followed by colon; for example, 21056:

    • Filehash Search for the given file in the file download and email attachment data. The format of the query term is the MD5 or SHA1 hash; for example, d04b82c115777a3bd1b1b21a428a7790bf2d6be7

  • Detection threat Search for the events of the given threat. The query format is the threat name in the format threat class followed by a slash followed by the threat name; for example, Command&Control/Teslacrypt.

    The special query term * will search for all threats detected in the selected time window.

  • General purpose searches Flexible, general-purpose rules to search on the network and detection. Search for records matching a given rule. The rule format is documented in the Network analysis rules section; for example, pdns.rrname: 2211.ru OR netflow.dst_ip:105.159.251.209