DPA-Powered Dashboards

The Challenge

Knowing What to Trust

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

The Solution

Custom DPA-Powered NetMon Dashboards

You can solve this problem using two powerful features of NetMon (NetMon)—deep packet analytics (DPA) and rich custom dashboards. First, we’ll create a DPA rule to parse out custom metadata (the TLD). Then we’ll make a dashboard that consumes this custom metadata to provide a hunting dashboard to elevate abnormal trends in TLD usage.

Using NetMon, create a deep script that extracts the TLD information from HTTP and HTTPs traffic. The TLD information is added to the Elasticsearch metadata as a custom field TopLevelDomain_NM.

Figure
Click on images to view larger

NetMon’s Kibana cache of metadata fields has be refreshed to enable the new custom fields in dashboards.

Go to https:///kibana4/#/settings

Figure

Click the [network]_]UUUU_MM_DD link and you will get to the Kibana settings page for the network data index.

Figure

Here, you can see all the metadata that is accessible. The only thing you really want to touch on this settings page is the refresh button. Because the Flow_TopLevelDomian.lua script is already running, the TopLevelDomain_NM field can be seen way down in the list.

Figure

When Kibana has access to the new metadata field, you can also utilize it in your dashboards. With a couple of donut charts, histograms and a table search, the dashboard will showcase the top and bottom 10 TLDs on your network.

Create the top 10 TLDs in a donut chart:

Figure

Then, add applications for each TLD to display the top five applications per TLD. The applications will be displayed in an outer ring:

Figure

To create the final dashboard, you can add the bottom 10 TLDs and a table search:

Figure

Final Notes

Please note: The above instructions are intended for those of you who are using NetMon v. 3.1. If you have already upgraded to NetMon 3.2, the process will be simpler, as you will not need to go through the “Refresh Kibana” step, as the custom metadata fields will automatically show up as long as your DPA rule generates metadata.

Try NetMon Freemium

If you aren’t a NetMon user yet, you can still give this use case a try. Install NetMon Freemium to get started.

Try NetMon Freemium.