Skip to content

Dashboards

This guide describes the available Looker dashboards for visualizing DomainTools data from Chronicle.

Threat intelligence

Young domains

  • This panel will display counts of the Young Domains observed in the Chronicle based on the selected Young Domain Threshold. The default value of the Young Domain Threshold will be 7 days.
  • Domain will be displayed in the dashboard only if the (Ingested timestamp of the enriched domain event - first_seen of the domain)\<= Young Domain Threshold

Suspicious domains

  • This panel will display counts of the Suspicious Domains based on the selected Suspicious Domain Range. The default value of the Suspicious Range will be 75-100
  • A Suspicious Domain's details will be displayed in the drill down table panel when the user clicks on the Suspicious Domains count. Following details will be displayed:
  • Domain
  • Risk Score
  • View in Chronicle
  • Last Observed (UTC)
  • When the user clicks on the domain, a redirection link will appear, and when the clicks on the link, a user will be redirected to the DomainTools.
  • When the user clicks on the View in Chronicle, a redirection link will appear and when clicking on the link, the user will be redirected to the Chronicle.

High risk domains

  • This panel will display a bar chart of the domain name vs. no of observations during the selected time period.
  • The High Risk Domains will be populated based on the selected High Risk Range. Default High Risk Range will be 90-100
  • When a user clicks on any bar of the chart, events associated with that domain will be displayed in the drill down table panel. The latest 500 domain details will be displayed. To view all domain details, a user can download the file by clicking the Download option. The following details will be displayed:
  • Domain
  • Risk Score
  • Event Timestamp (UTC)
  • View in Chronicle
  • When the user clicks on the domain, a redirection link will appear, and when clicks on the link, a user will be redirected to the DomainTools.
  • When the user clicks on the View in Chronicle, a redirection link will appear and when clicking on the link, a user will be redirected to the Chronicle.

Medium risk domains

  • This panel will display a bar chart of the domain name vs. no of observations during the selected time period.
  • The Medium Risk Domains will be populated based on the selected Medium Risk Range. Default Medium Risk Range will be 75-89
  • When a user clicks on any bar of the chart, events associated with that domain will be displayed in the drill down table panel. The latest 500 domain details will be displayed. To view all domain details, a user can download the file by clicking the Download option. The following details will be displayed:
  • Domain
  • Risk Score
  • Event Timestamp (UTC)
  • View in Chronicle
  • When the user clicks on the Domain, a redirection link will appear, and when clicking on the link, a user will be redirected to the DomainTools.
  • When the user clicks on the View in Chronicle, a redirection link will appear and when clicking on the link, a user will be redirected to the Chronicle.

Young domains table

  • This panel will display the details of the Young Domains in the table. Following details of the young domains will be displayed:
  • Domain
  • Age (in days)
  • Risk Score
  • First Observed (UTC)
  • Last Observed (UTC)
  • Events
  • When the user clicks on the Domain, a redirection link will appear and when clicks on the link, a user will be redirected to the DomainTools.
  • When the user clicks on the Events, a redirection link will appear and when clicking on the link, a user will be redirected to the Chronicle.

Enrichment explorer

  • This dashboard will display the details of the enriched domain events. The following details of the domains will be displayed:
  • Domain
  • Age (in days)
  • Active Status
  • Overall Risk Score
  • Last Enriched DateTime (UTC)
  • Proximity Score
  • Threat Type
  • Threat Evidence
  • Threat Profile Malware
  • Threat Profile Phishing
  • Threat Profile Spam
  • Domain Registered From
  • Domain Registered Company
  • Domain Registered Region
  • View in Iris
  • Domain filter will be populated based on the selected value of the Last Enriched, Age, Risk Score.
  • This dashboard will be populated based on the selected value of the Last Enriched, Domain, Threat Type, Age, and Risk Score filters.
  • The Enrichment Explorer table panel will be populated with the latest 1000 domain details.
  • When the user clicks on the Domain, a redirection link will appear and when clicking on the link, a user will be redirected to the Chronicle.
  • When the user clicks on the View in Iris, a redirection link will appear and when clicks on the link, the user will be redirected to the DomainTools.

Domain profiling

  • This dashboard will display the pie chart based on the selected Enrichment Filter Value.
  • The pie chart will be populated with the top 19 values of the Enrichment Filter value and all other values in the other pie chart.
  • The details of domains will be displayed in the drill down table panel when clicking on the any pie of the chart. The first 500 domain details will be displayed. To view all domain details, a user can download the file by clicking the Download option. The following details will be displayed:
  • Domain
  • View in Iris
  • When the user clicks on the View in Chronicle, a redirection link will appear, and when clicking on the link, a user will be redirected to the Chronicle.
  • When the user clicks on the View in Iris, a redirection link will appear and when clicks on the link, the user will be redirected to the DomainTools.

Monitoring dashboard

This dashboard will be populated based on the selected time range filter value. This dashboard will be populated with the detections of the latest current version of the rule. Details of the panels present in the dashboard are as follows:

Monitored domain detections over time

  • This panel will display counts of the monitored domain detections based on the detection timestamp.

Monitored domain detections

  • This panel will display counts of the monitored domain detections.
  • When clicking on the count of the monitored domain detection, a redirection link will appear and when clicking on the redirection link, a user will be redirected to the monitored domain detections in the Chronicle.

Monitored tags detections over time

  • This panel will display counts of the monitored tag detections based on the detection timestamp.

Tagged domain detections

  • This panel will display counts of the tagged domain detections.
  • When clicking on the count of the tagged domain detection, a redirection link will appear and when clicking on the redirection link, a user will be redirected to the tagged domain detections in the Chronicle.

Monitoring domain list management

  • This panel will display the link of the monitoring domain list. When clicking on the link, a user will be redirected to the Monitoring Domain List in the Chronicle.

Monitoring tag list management

  • This panel will display the link of the monitoring tags list. When clicking on the link, a user will be redirected to the Monitoring Tags List in the Chronicle.

Application diagnostics

This Dashboard contains the Time Range filter. This dashboard will be populated based on the selected time range filter value. Details of the panels present in the dashboard are as follows:

View logs of cloud function

  • This link will appear in the application logs panel. When clicking on the link, a user will be redirected to the cloud function logs in the Google Cloud Platform (GCP).

Domain enrichment log

  • This panel will display details of the enriched domains. This panel will display details of the latest 1000 enriched domains. The following details will be displayed:
  • Domain
  • First Ingested (UTC)
  • Most Recent Enrichment (UTC)
  • View in Iris

Number of enriched domains based on timestamp

  • This panel will display counts of the enriched domains based on the timestamp.