Skip to content

Dashboards

The DomainTools App provides pre-built dashboards for threat intelligence and domain monitoring.

Iris Enrich

Threat Intelligence Dashboard

The Threat Intelligence Dashboard helps organizations gain quick situational awareness of the risk presented by domain names on their network. The dashboard also helps guide teams to effectively leverage DomainTools data in their SOC workflows, with drill-downs that expose the underlying events.

Keep the dashboard open with current information on an always-on tab or dedicated display by turning on Auto Refresh. Panels refresh individually at 5-minute intervals.

Interact with and read the dashboard panels

The Threat Profile dashboard panels provide insights based on Splunk Timecharts. See how to read the Splunk timecharts for more information.

  • Unique Domains Observed: Number of unique domains observed in your network being monitored within the DomainTools cache for the selected time, compared to the previous time.
  • Dangerous Domains: Uses a combination of the suspicious Risk Score threshold being exceeded, threat profile threshold being exceeded, and domain age being younger than the set threshold to determine a domain's likelihood to be dangerous. Thresholds can be configured on the Enrichment & Alerting settings page. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Suspicious Domains: Number of Domains with a DomainTools risk score higher than the configured Suspicious Risk Score threshold on the Enrichment & Alerting settings page. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Young Domains: Number of Domains observed which were recently created, based on the number of days set on the Enrichment & Alerting settings page. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Events Enriched: Displays the total number of Events associated with Domains enriched by DomainTools during the selected time.

The following panels provide additional information either as a graph or paginated results:

  • Risky Observed Domains
  • See the Domain Risk Score User Guide for more information on Risk Score.
  • Risk Scores are classified by default as either 100 (Known Malicious), 90-99 (High), 70-89 (Medium), or 69 and below (Low).
  • Risk score thresholds may be configured under DT Settings → Configure Enrichment & Alerting, Risky Observed Domains Threshold Settings.
  • Click a data point to view the underlying events.
  • Filtering by Risk level: All would show the default view used in earlier versions of the application.
  • Newly Observed Domains
  • The paginated results show newly observed domains, risk score, the time and date that it has been first and last observed, and the number of events associated with that domain observed during the selected time.
  • Threat Map
  • Maps the number of suspicious domains observed during the selected time, based on the GeoLocation of their Hosting IPs or Registrant Country (use the pull-down to select). The Risk Score threshold for a suspicious event is configurable on the Enrichment & Alerting settings page.
  • Threat Portfolio
  • Plots the number of events associated with domains broken out by Threat Profile category over the selected time range. Click a category in the legend to display the associated events from the filtered time. See the Domain Risk Score User Guide for more information.
  • Top 10 Tags from Cache
  • Lists the top Iris Investigate Tags in use and the number of associated domains observed with that tag in the selected time.

Interact with the dashboards

To drill down on the metric, click each panel. This shows the total instances of all domain detections within the time filter applied to the dashboard. Results can also be filtered over a specified time. Hover over each panel to Open in Search, Export, go Fullscreen, or Refresh.

Interact with the threat map

Hover over each country to find the unique domain count with a geo-located IP associated with that country. You can reset to the original position and zoom.

Read the Splunk timecharts

The indicators on the top of the Threat Intelligence Dashboard and Monitoring Dashboard use Splunk's "Single Value Visualization" feature to provide a trending context to some of the dashboard metrics. The value displayed matches the filter time (for example, "Last 15 Minutes") selected, compared to the previous filter time (for example, previous 15 minutes). These are "bins" in Splunk nomenclature. Regardless of whether the trend is up or down, a green indicator represents a desirable trend (fewer Suspicious Domains, for instance), while a red indicator represents an undesirable trend.

Domain Monitoring Dashboard

The Domain Monitoring dashboard, available from the Monitoring menu, enables the monitoring of suspicious domains within Splunk. The dashboard highlights monitoring KPIs for comprehensive reporting.

Interact with and read the dashboard panels

Hover for the tooltips about the panel sections and select the data points to interact. Use these results for further investigations in DomainTools, or to triage and analyze the results in ES Incident Review by selecting the Alerts Generated panel.

Keep the dashboard open with current information on an always-on tab or dedicated display by turning on Auto Refresh. Panels refresh individually at 5-minute intervals.

Details on the individual panels are below:

  • Detected Domains: Shows the number of domains detected within your network that are in the Monitored Domains List (configurable under Monitoring → Manage Monitored Domains). This includes any domains in the Allowlist. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Tagged Suspicious Domains: Suspicious Domains with an Iris Investigate Tag that are being monitored in the DomainTools Tags List, excluding any in the Allowlist. The Risk Score threshold for tags is configurable under DT Settings → Configure Enrichment & Alerting. The Monitored Tags and Allowlists are configurable under the Monitoring menu. Tags can be added to domains within the DomainTools Iris Investigate UI. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Iris Detect Domains Observed: Domains Discovered by DomainTools Iris Detect and observed in your network events. This includes any domains in the Allowlist. Add and configure Monitors in Iris Detect, then select how Splunk uses them using the Monitoring → Iris Detect page. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Iris Investigate Domains Observed: Domains discovered by DomainTools Iris Investigate and observed in your network events. This includes any domains in the Allowlist. The displayed value indicates the number of domains observed in the selected time compared to the previous time.
  • Total Alerts Generated: Shows the number of alerts that were triggered within the selected time, compared to the previous. Alerts are created based on rules set on the DT Settings → Configure Enrichment & Alerting page and can be triaged within Splunk Enterprise Security Incident Review or by clicking the number displayed.
  • Total Events Monitored: Shows the number of events associated with the domains detected within your network that are in the DomainTools Monitoring List (configurable under Monitoring → Manage Monitored Domains). This includes any domains in the Allowlist. The displayed value indicates the number of events observed in the selected time compared to the previous time.
  • Currently Monitoring: Total number of Domains being monitored. This panel isn't impacted by the dashboard time filter. Add domain monitors via Monitoring → Manage Monitored Domains.
  • Suspicious Domains over Time: Shows a timeline of the suspicious domains observed over the filtered time. Suspicious domains have a Risk Score at or above the suspicious Risk Threshold defined in the Enrichment & Alerting settings page.
  • Suspicious Domains Attribute Table: Lists the domains observed with a Risk Score at or above the Risk Threshold defined in the DT Settings → Configure Enrichment & Alerting page.
  • Threat Map: Plots the number of unique domains based on their GeoLocation, Hosting IPs and Registrant Country associated with Detected Domains in your cache.
  • DomainTools Alerts over Time: Shows a timeline of the unique alerts observed over the filtered time. Alerts are created based on rules set on the DT Settings → Configure Enrichment & Alerting page.
  • DomainTools Top Notable Events: Displays the activity and status of DomainTools alerting rules within your environment. These can be configured on the DT Settings → Configure Enrichment & Alerting page.

Next steps