DPA-Powered Dashboards

The Challenge

Knowing What to Trust

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

The Solution

Custom DPA-Powered Network Monitor Dashboards

You can solve this problem using two powerful features of Network Monitor (NetMon)—deep packet analytics (DPA) and rich custom dashboards. First, we’ll create a DPA rule to parse out custom metadata (the TLD). Then we’ll make a dashboard that consumes this custom metadata to provide a hunting dashboard to elevate abnormal trends in TLD usage.

Using NetMon, create a deep script that extracts the TLD information from HTTP and HTTPs traffic. The TLD information is added to the Elasticsearch metadata as a custom field TopLevelDomain_NM.

Figure 1. Edit Details for Flow_TopLevelDomain Click on images to view larger

NetMon’s Kibana cache of metadata fields has be refreshed to enable the new custom fields in dashboards.

Go to https:///kibana4/#/settings

Figure 2. Configure an Index Pattern

Click the [network]_]UUUU_MM_DD link and you will get to the Kibana settings page for the network data index.

Figure 3. Kibana Settings Page for Network Data Index

Here, you can see all the metadata that is accessible. The only thing you really want to touch on this settings page is the refresh button. Because the Flow_TopLevelDomian.lua script is already running, the TopLevelDomain_NM field can be seen way down in the list.

Figure 4. Top Level Domain

When Kibana has access to the new metadata field, you can also utilize it in your dashboards. With a couple of donut charts, histograms and a table search, the dashboard will showcase the top and bottom 10 TLDs on your network.

Create the top 10 TLDs in a donut chart:

Figure 5. Creating the Top 10 TLDs in a Donut Chart

Then, add applications for each TLD to display the top five applications per TLD. The applications will be displayed in an outer ring:

Figure 6. Add Applications for Each TLD to Display the Top 5 Applications

To create the final dashboard, you can add the bottom 10 TLDs and a table search:

Figure 7. Add the Bottom 10 TLDs and a Table Search for the Final Dashboard

Final Notes

Please note: The above instructions are intended for those of you who are using NetMon v. 3.1. If you have already upgraded to NetMon 3.2, the process will be simpler, as you will not need to go through the “Refresh Kibana” step, as the custom metadata fields will automatically show up as long as your DPA rule generates metadata.

Here you’ll find the draft of the lua rule in import-ready format. You can import it through Configuration –> Engine –> Deep Packet Analytics. Do not forget to enable the rule after importing it.

Here you’ll find an almost identical TLD dashboard with visualizations. You can import it through Analyze –> Dashboard Settings –> Import. You’ll see an alert about the missing TopLevelDomain_NM metadata field. After importing and running the rule, you can enable the dashboard by refreshing Kibana as described above.

Finally, you can load the TLD draft dashboard through Analyze –> Dashboards –> “load symbol”

Try NetMon Freemium

If you aren’t a NetMon user yet, you can still give this use case a try. Install NetMon Freemium to get started.

Try NetMon Freemium.

Clear Text Passwords (Caught!)