Network analysis sidebar

The sidebar is used to display information that is relative to one or more elements of the blueprint graph. By default it is minimized.

To minimize the sidebar, click the angle right icon.

Node or edge information

The node/edge information tab provides additional information about a selected node or edge in the blueprint graph. To select a node, click on its icon in the graph.

Node type

Information

Analysis report

Additional information about an analysis report.

Report details:

  • Analysis reports Displays the task UUID and score. Click the link icon to view the analysis report in a new browser tab.

  • MD5 File hash value. Click the Intelligence pages icon icon to view the file hash in Intelligence.

  • SHA1 File hash value. Click the Intelligence pages icon icon to view the file hash in Intelligence.

  • Size File size in bytes.

  • Category The category the analyzed file belongs to.

  • Type More detailed information about the file.

Sightings details of the analyzed sample:

  • Number of downloads The number of times the analyzed file was observed being downloaded.

  • Hosts IP address of the hosts that downloaded the analyzed file.

  • URLs The full URL of the downloaded file.

Malicious reputation entry

Additional information about a malicious reputation entry (IP address or domain name).

Entry details:

  • Hostnames List of hostnames observed for this entry.

  • IP addresses List of IP addresses observed for this entry.

  • Threats list of threat detections involving this entry.

  • Contacted ports List of port numbers that were contacted on this entry in sample detonations.

  • Intelligence A link to the knowledge base records for this entry.

Malicious reputation history details

  • Start time Initial time of being listed as malicious.

  • End time Final time of being listed as malicious.

  • Malicious reputation entry The malicious reputation entry.

  • Threat The threat/malware associated with the malicious reputation entry.

  • Confidence The confidence score associated with the malicious reputation entry.

Downloaded file

Additional information about a downloaded file

File details:

  • MD5 File hash value. Click the Intelligence pages icon icon to view the file hash in Intelligence.

  • SHA1 File hash value. Click the Intelligence pages icon icon to view the file hash in Intelligence.

  • Size File size in bytes.

  • Category The category the analyzed file belongs to.

  • Type More detailed information about the file.

Sightings details:

  • Number of downloads The number of times the analyzed file was observed being downloaded.

  • Downloading hosts IP address of the hosts that downloaded the analyzed file.

  • URLs The full URL of the downloaded file.

  • Reports Displays the report status, task UUID, and score. Click the link icon to view the analysis report in a new browser tab.

Email address

Provides the email address.

Email message

Additional information about an email message

Message details:

  • Message ID A globally unique identifier used by the mail server.

  • Sender The sender's email address.

  • Recipient The recipient's email address

Analyzed URLs contained in the message:

  • URL The full URL provided in the message.

  • Host The domain name provided in the message.

  • Analysis Displays the analysis score. Click the link icon to view the analysis report in a new browser tab.

Analyzed attachments contained in the message:

  • Filename The attachment filename.

  • Size The size of the attachment in bytes.

  • MD5 File hash value.

  • SHA1 File hash value.

  • Analysis Displays the analysis score. Click the link icon to view the analysis report in a new browser tab.

Host

Additional information about a host.

Host-level details:

  • IP address Geo-located map or local network icon. Click the Intelligence pages icon icon to view the host in Intelligence.

  • Hostnames Domain name for the host.

  • Services Any services detected on the host.

Incidents involving the host:

  • Number of incidents Count of all incidents.

  • Max impact Indicates the maximum impact of all incidents.

  • Threats A list of the detected events.

A note indicates if the host is internal or external to the monitored network.

Hostname

Additional information about a domain name that was resolved.

  • Resource The resource that was looked up. Click the Intelligence pages icon icon to view the resource in Intelligence.

  • Resolutions The resolution information returned by the DNS lookup. For example, A indicates an address record and includes the IP address.

HTTP request

Additional information about an HTTP request.

URL details:

  • Download URLs The observed URL(s) in the HTTP request.

  • Download IPs The IP address(es) resolved for the HTTP request. Click the Investigations pages icon icon to view the request IP address in Network analysis.

Request details

  • Number of requests The number of times the HTTP request was observed.

  • Hosts IP address of the hosts issuing the HTTP request.

  • Referers The "referer" header values observed in the HTTP request.

  • User agents User-agent values observed in the HTTP request.

Threat

Additional information about a threat

Threat details:

  • Threat class The name of the detected threat class. For example, command&control.

  • Threat The name of the detected threat. For example, Loki Bot.

  • Severity The calculated threat score.

  • Information a description of the detected threat

When you click an edge, the following information is displayed about the connection:

  • Source node The source of the connection. This can be a node name, an IP address, a domain name, etc.

  • Target node The destination of the connection. This can be a node name, an IP address, a domain name, etc.

Under the Source node and Target node is the actual source or target of the connection. Click the plus to expand the source or target.

Timeline

View a timeline of the selected threat or analysis report.

The cards show the date and time of the selected data.

Note:

Timeline visualization data is only available for threats and analysis reports.

Third-party tools

The third-party tools tab links to external tools that may provide additional information about an entity selected in the graph. Currently, the tools supported are DomainTools and VirusTotal.

The following searches are supported:

  • Selecting a host node allows you to search for the corresponding IP address on DomainTools and VirusTotal.

  • Selecting a hostname node allows you to search for the corresponding domain name on DomainTools and VirusTotal.

  • Selecting a downloaded file node allows to search for the corresponding hash on VirusTotal.

  • Selecting an HTTP request node allows to search for the request's hostname on DomainTools and VirusTotal.

Rule editor

The rule editor is used to create or update a rule. See Network analysis rules for details of the rules, their syntax, and a selection of examples.

To use the editor, perform the following steps:

  1. Select a License from the pull-down menu. The rule can be associated with All licenses (Global rule) or a specific license.

  2. Select a Sensor from the pull-down menu. The rule can be associated with All sensors or a specific Sensor.

  3. Enter a Rule name.

  4. Enter a Rule. Refer to Network analysis rules for valid syntax and other details.

  5. Provide an optional Comment to describe the rule.

  6. Enter an Impact value or click the increment/decrement icon to change the value in steps of 10.

To save your changes to a new rule, click Create rule. For an existing rule, click Update rule.

To abandon your changes, click Reset.