Reporting

Whalebone Portal provides the tools in order to configure various reporting options and manage the access to Whalebone API.

Reports

Reporting capabilities can be configured from the drop-down menu under a user’s account. The properties that can be customized, include the frequency that the reports are being delivered, the preferred day of the week, the language and the recipients.

Note

The default recipient is the owner of the account and the reports are delivered to their respective registered email address.

_images/report-configuration.gif

Alerts

Whalebone alerting provides live updates about key information such as resolver’s health, resolution status, hardware usage and it also informs about crucial security incidents and many more. All of these information can be passed through multiple channels e.g. email, slack, syslog or webhook. You can create new alert from predefined templates and alerts can be then customized by editing their parameters. You can watch step-by-step video guide here

Note

In order to turn on an alert, you first need to assign a destination for it. Click the alert name to expand it in detail and select the destination from the box. Multiple destinations may be selected by shift-clicking the addresses.

DNS traffic - count of unique requests from IP

This alert is triggered when a single source IP reaches the limit of unique requests with defined attributes. Parameters: * MINUTES: time window in minutes (Default=15) * TRESHOLD: number of events in timeframe to trigger alert (Default=100) * QUERY_TYPE: Filter by DNS query type (Default=*) * RESPONSE_TYPE: Filter by DNS response (Default=*) * IP_WILDCARD: Include only these these comma-separated IP addresses in the alert (Default=*) * IP_WILDCARD_IGNORE: Ignore these comma separated domains in the alert (Default=none) * DOMAIN_WILDCARD: Include only these comma separated domains in the alert(Default=*) * DOMAIN_WILDCARD_IGNORE: Ignore these comma separated domains in the alert (Default=none) * DGA: Filter by domain generation algorithm - Only DGA, Without DGA or both (Default=*)

DNS traffic - increased percentage of queries

This Alert will be sent when number of DNS traffic logs is percentually greater over configured time period. Parameters: * MINUTES: Timeframe - time window (Default=15) * PERCENT: Percentage increase (e.g. 200%) - difference between two intervals (Default=50) * QUERY_TYPE: Filter by DNS query type (Default=*) * RESPONSE_TYPE: Filter by DNS response (Default=*)

DNS traffic - possible homograph attack

This Alert is sent when a possible homograph attack for a specified domain is detected Parameters: * DOMAIN: Domain to monitor for possible homograph attacks (One alert can monitor only one domain) * DISTANCE: Number of characters that can differ in the phishing domain (Default=1) * DOMAIN_WILDCARD_IGNORE: Ignore this list of comma separated domains in the alert. In case DISTANCE is larger than 1, there will be a detection on domains that support both a global and regional top level formats. It is recommended to add the legitimate domains in the whitelists in order to avoid unnecessary alarms. (Default=none)

DNS traffic - treshold for unique queries

This Alert is sent when threshold for filtered unique DNS logs is reached Parameters: * MINUTES: Timeframe - time window (Default=15) * TRESHOLD: Threshold - number of events in timeframe to trigger alert (Default=100) * QUERY_TYPE: Filter by DNS query type (Default=*) * RESPONSE_TYPE: Filter by DNS response (Default=*)

Resolver - Cloud communication failure

Resolver - Insufficient hardware resources

Resolver - Resolution service failure

Threats - count during intervals

Threats - event detection

Threats - newly blocked domain

Note

When the alerting channel is syslog, by default TCP or TLS is supported as the transport layer protocol.