Data Analysis¶
Whalebone Portal (graphical user interface) gives the user number of possibilities how to analyze what is happening on the DNS resolvers and the network.
Threats¶
Threats are special events where there is a DNS request for a domain that is present within the reputation database. There are two types of actions when a threat is detected. The first is to audit the event while the second is to block it.
The action that is to be implemented depends on the policies that are assigned to the specific resolver. For more on that please refer to Security Policies.
There are some pre-configured filters that can be applied on the data on the portal. Some sample queries can be found below. These queries depict the majority of the use cases but there is no hard limit as the available search engine is full-text and any query can be compiled impromptu.
How to search for audit/block events.¶
For more advanced usage a query can be issued:
action: blockin order to filter the blocked eventsaction: auditin order to filter the audited eventsaction: allowin order to view the Block page bypasses
This query updates the content of the whole dashboard.
How to search for a domain¶
In order to search for a domain’s instances in the events, the easiest way
is to click on it in the provided log history. Alternatively a query
could be issued in the search engine with the term: domain:<domain>
How to search for events based on specific IP address.¶
A filtering of an IP address is possible by clicking on the specific
Source IP bar and in this way filtering the content of the whole
portal.
A more advanced use case could be to directly search for IP address in
the search field and use the operator client_ip such as: client_ip:<IP address>.
Tip
In the following example the data are anonymized so a reader could consider that instead of the previewed hash value, an IP address is used.
How to search for events based on specific threat category.¶
There are multiple threat categories available.
To name a few: malware, c&c, blacklist,
phishing, coinminer, spam, and compromised.
A simple alternative could be to click on the bar that matches the detected threat and filter only the specific type.
Another approach could be to click on the filter icon and in this way specify the desired category, as can be seen in the next image.
How to change the date range of the available data¶
YYYY.MM.DD HH:mm:ss format or by using the builtin
tool that provides quick suggestions.
DNS Traffic¶
The DNS Traffic tab contains an overview of the traffic that has
been logged on the resolver. It contains all the queries along with some
additional information such as the type, the answer and the TTL (time to
live) of the answer.
Tip
The data are subject to de-duplication. This means that the resolver logs only unique combinations of query, query type and answer per 24 hour time frame. For this reason, a query might not be available on the portal even though it has been resolved.
Below, some of the most useful filtering options of the available data will be described.
How to view all queries of a specific type¶
In order to view all queries of a specific type the most straight forward way is to click on the filter icon and select the desired value.
Another option is to insert a query in the search field. This query
could be in the form query_type:<type>. The possible types are:
A,AAAA, CNAME, MX, NS, PTR, RRSIG,
SPF, SRV andTXT.
How to view all answers of a specific type¶
The answers can be filtered by selecting the specific bar in the
respective Answers field. Additionally, the answers can be viewed by
issuing a query in the form answer:<answer_type>.
Useful answer types are NXDOMAIN or SERVFAIL.
How to search for a domain¶
In order to search for a domain’s instances in the logs, the easiest way
is to click on it in the provided log history. Alternatively a query
could be issued in the search engine with a fully qualified domain: query:<domain>.
Please note the . at the end of the query.
A more fine-grained search can be performed by searching for more
specific domain based on the available domain levels. The acceptable
search fields are domain_l1:<domain_l1> and
domain_l2:<domain_l2>.
How to change the date range of the available data¶
Please refer to How to change the date range of the available data of the Threats section.
How to view DGA (Domain Generation Algorithm) indications¶
Whalebone provides a view of indicators of DGA instances. These
indications can be accessed by using the filter icon and selecting DGA
as can be seen below. Alternatively the query dga.class:1 can be issued.
Other Tips and Tricks¶
Search operators (wildcard (*), logical AND, logical OR) can also be used to improve the search result precision.
It should be noted that some requested fields in DNS traffic and Threats are slightly different.
Example queries are:
- All queries from IP addresses that start with 10:
| DNS Traffic | Threats |
|---|---|
client: 10.* |
client_ip: 10.* |
- All queries for domain whalebone.io:
| DNS Traffic | Threats |
|---|---|
query: whalebone.io. (please also include the dot at the end) |
domain: whalebone.io |
- Queries from IP address 1.2.3.4 for whalebone.io:
| DNS Traffic | Threats |
|---|---|
client: 1.2.3.4 AND query: whalebone.io. |
client_ip: 1.2.3.4 AND domain: whalebone.io |
Tip
Filtering operators are placed statically to the URL address. Therefore, you can create your set of filters in advance (such as view on individual IPs) and to use them when necessary. Afterwards, you can place them to your CRM for the specific user’s account and to access the filtered view immediately. It will help saving your time when customer asks for the support as you can immediately open their details.