Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

DNS Activity Historical Data reporting offers the capability to access data that goes back beyond the usual 30-day limit, thus allowing the ability to search up to 60 days of data records. To access historical data, you can create custom historical data reports by configuring queries and filters according to your organization's specific requirements. These customized reports allow you to obtain the precise historical data you need. It's important to note that saved historical data reports will be retained for a maximum of 30 days, after which they will be automatically deleted from the system.

You can save up to 10 historical data reports, which can include requests for DNS Activity report data and/or Security Activity report data. This enables you to analyze and derive insights from past DNS and security-related activities. By leveraging this functionality, you can gain a comprehensive understanding of historical trends and patterns within your data.

Historical Data reporting can be configured for DNS Activity and Security Activity and reports. 

Topics covered on this page:  

  • The DNS Activity Historical Data Viewer

  • Viewing a DNS Activity Historical Data Report

  • Creating and Saving a DNS Activity Historical Data Report 

Navigating to DNS Activity Historical Data Reports

To navigate to DNS Activity historical data reports, do the following:

  1. Log in to the Cloud Services Portal.

  2. From the Cloud Services Portal, click Reports DNS Activity.

  3. On the DNS Activity page, click Historical Data Viewer (see call-out) to open the DNS Activity Historical Data Reports page. 

The DNS Activity Historical Data Viewer

The DNS Activity Historical Data Viewer is used to view up to 60 days of specific data based on queries and filters that have been applied using the historical data viewer query builder. The Historical Data Viewer included the following components. 

Image: The DNS Activity Historical Data Viewer page

Query Panel: On the query panel, you can view the results of your historical data historical data query with filters and specific query parameters applied. The query panel includes the following information:

  • Viewing: The name of the report currently being viewed.  
  • Date and Time: The time and date range for which the data in the report is included.
  • Created by: The name of the person within the organization responsible for running the report. 
  • Expires: The expiry time and date for the report. Reports expire 30 days after their creation date 
  • Query: The queries added to the report at its time of  creation.
  • Filters: The filters applied to the report at its time of creation.  

Requests Chart: The requests chart displays a visual representation of the data reported based on the results of the current historical data query. Information on the chart will reflect the type of DNS activity selected based on the application of queries and filters when the historical data report was created. 

Clear Filter: To clear the filter results from the current historical data report query begin displayed, click Clear Filter. This will clear the current report query and will reset the historical data reporting page to its default state.

Load: Click Load to select a previously created historical data report query to run from among the list of previously created reports. A window will open displaying all created reports. In the left-hand pane, you can select a report to run based on the available, created report types. Clicking on the title of a report in the left-hand pane will display the details of the report in the adjacent right-hand pane. Created reports expire 30 days after their creation date. To run a historical data report, see  the topic on Viewing a DNS Activity Historical Data Report.

A total of 10 historical data report queries can be created and saved. The 10 saved historical data report queries are inclusive of both DNS Activity reporting and Security Activity reporting. For example, if you create and save six DNS Activity historical data query report types, then you can save a maximum of four additional reports. The four additional reports can be any combination of DNS Activity and/or Security Activity report types. Report names that are grayed out are not available for viewing as a DNS Activity historical data query report type and denote that the data generated in the report is based on Security Activity reports. The grayed out reports are available when accessing historical data for Security Activity reports. 

  1. Select an available report from the list of reports listed in the left-hand pane 
  2. Click View to open the report. 

To delete a report, do the following:

  1. Select an available report from the list of reports listed in the left-hand pane.

Click Delete to remove the report from the list. A modal window will appear confirming that you want to delete the report. Click Delete to confirm deletion of the report. 


For information on creating queries for DNS Activity historical data reports, see the section on Creating and Saving a DNS Activity Report.

Click Save to save a newly created historical data report.

Click Back to DNS Activity to exit the historical data viewer. When saving a report, it is suggested the historical report be saved with a unique name reflecting the type of historical data being requested

Background tasks and recent search information can be viewed by doing the following: 

  • Background TasksClick  to open the side panel displaying a list of all running background tasks. 

  • Global Search: Enter the search criteria or value that you want to search for in the Search text box. Recent Searches: Click  to perform a global search. The Cloud Services Portal displays the list of records that match the keyword in the text box. The search panel includes information on recent searches  including tool information, console messages, and information on recent domain searches.

Export: Click Export to download a .csv file containing all records contained within the current, queried report. A maximum of 50,000 data records can be downloaded. The name of the .csv file will reflect the name of the report being queried.The name of the .csv file will reflect the name of the report being queried. 

Historical Data Report Table: The Historical Data Report Tabldisplays a list of all historical data records seen on your network based on the query and filter criteria defined when the report was created. Using the query and filter options, you can limit the records displayed in the table to only those queries and filters selected at the time the report was created. The following information can be viewed in the records table:

  • DETECTED (default grid column): The date and time of the first DNS detection
  • DNS VIEWThe DNS version data being served.
  • DEVICE COUNTRYThe country  where the device is located.
  • DEVICE IPThe IP address of the device responsible for the hit. If you are using BloxOne Endpoint for the Infoblox Grid, BloxOne Cloud can identify the hostname of the Grid Master and displays it in this filter. If the NIOS appliance is not running a supported NIOS version or if this device is a remote site, BloxOne Cloud captures the IP address (instead of the hostname) of the appliance in this field.
  • DEVICE NAME (default grid column): The name of the device.
  • DEVICE REGIONThe region within a geographic area where the device is located.
  • DHCP FINGERPRINTThe unique identifier that was formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
  • DOMAIN CATEGORY (default grid column): Domain category is based on a classification matrix allowing a more precise implementation of  security policies.
  • MAC ADDRESSThe detected MAC address of the device.
  • OS VERSIONThe detected OS version of the device.
  • QUERY (default grid column): Displays the domain that sent the DNS queries. 
  • QUERY TYPE (default grid column): The DNS query type.
  • RESPONSE (default grid column): The response taken by BloxOne Cloud for the malicious hit.
  • RESPONSE COUNTRYThe country where the response originated based on information acquired from the public IP address of BloxOne Endpoint.
  • RESPONSE REGIONThe region within a  geographic area where the response originated based on information acquired from the public IP address of BloxOne Endpoint.
  • SOURCE (default grid column): The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
  • USERThe user that triggered the hit. For remote offices, the portal displays Unknown for these users.

SearchEnter the value that you want to search in the Search text box. The Cloud Services Portal displays the list of records that match the keyword in the text box. 

Click the triple bar icon ☰ on the Web Content Categories table header to select what information you want to display.  You can view all information by selecting all options or select only those options you wish to display.  You can use the up/down arrow associated with each column to reorder information in the columns. See call-out   for information on what information each column item provides.


Viewing a DNS Activity Historical Data Report

Click Load to select a previously created report. You can view the details of a selected report in the right-hand pane of the created reports window (see call-out ).

In the details panel you can view the following created report information:

  • Header: The number of historical reports created. This list is inclusive of both the DNS Activity historical reports and the Security Activity historical reports. A limit of 10 historical reports can be saved at any one time. 
  • Left panel: A list of created historical reports. 
  • Right panel: The details of a selected historical report.
    • Type: The type of historical report (DNS Activity Report or Security Activity Report). 
    • Data Time: The date/time period for the historical data (1 hour (default time period), 24 hours, 48 hours, 7 days, 1 month, or custom date/time period).
    • Created by: The name of the person in your organization who created the historical report. 
    • Expires: The date and time of the historical report's expiry. 
    • Query: A list of data queries used when configuring the historical report.  If queries were not configured for the report, then the response will be "No".
    • Filters: A list of data filters used when configuring the historical report.  If filters were not configured for the report, then the response will be "No".

Click View on the Report panel. A total of 10 historical data report queries can be created and saved. The 10 saved historical data report queries are inclusive of both DNS Activity reporting and Security Activity reporting. Report names that are grayed out are not available for viewing as a DNS Activity historical data query report type and denote that the data generated in the report is based on Security Activity reports. The grayed out reports are available when accessing historical data for Security Activity reports.

Click Delete to remove a saved DNS Activity historical data report from the list. A modal window will appear confirming that you want to delete the historical data report. Deleting a historical data report allows the saving of a new historical data report.


For information on creating a query, see the section on Creating and Saving a DNS Activity Historical Data Report:

  1. Once the selected historical report has finished generating, the report results can be viewed in the Historical Data Report Table (see call-out ).
  2. You can run a search against the report results (see call-out ) or you can export the report results as a .csv file for viewing (see call-out ).
  3. When you are finished viewing the report, click Clear Filter (see call-out ) to clear the report results from the page and reset the page to run another report.

Creating and Saving a DNS Activity Historical Data Report

To create and save a DNS Activity historical data report, do the following

:

Image: The DNS Activity Historical Data Viewer Query Builder panel

Event Search: In the event search field you can input search query field data and/or operators. Click to open the search criteria panel for information on configuring event searches (see call-out) . 

Search Queries: Click to open the search criteria panel where examples of what filter and data criteria is accommodated by the event search feature. The search feature supports using queries to perform searches using the integrated search query language. Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available for generating DNS Activity historical data reports, you can do the following:

  • Run a search on any of the following fields:

    • DEVICE COUNTRY

    • DEVICE IP

    • DEVICE NAME

    • DEVICE REGION

    • DHCP FINGERPRINT

    • DNS VIEW

    • DOMAIN CATEGORY

    • MAC ADDRESS

    • OS VERSION

    • QUERY

    • QUERY TYPE

    • RESPONSE
    • RESPONSE COUNTRY
    • RESPONSE REGION

    • SOURCE

    • USER

  • The = and the NOT (!=) operators.

  • Use AND and OR operators.

  • Use single and double quoted to enter values with spaces.

  • Use parentheses to group search parts. 

  • Use the wildcard symbol (*) as the last character of the search value for a partial match.

  • Use the ENTER key to apply search.

  • Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries 

The following are search query examples:

  • query=domain.*AND device=52.123*

  • device=office1.domain OR device=office2.domain.com

  • dns_view=example-view AND query_type=A

  • (source=‘BloxOne Endpoint’ OR source=“example 1”) AND device=52.123*

    Search by the query fields matches values by subdomains. E.g. query = domain.com
    matches 'domain.com', 'office.domain.com', 'space.office.domain.com

Note

All search values are case sensitive. A maximum of five operators can be used when constructing a query search.

.

Filters: The filters that are supported for applying to a historical data report. The following filters are supported when creating and running a DNS Activity historical data report:

  • Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. When filtering by source, the filter drop-down is limited to showing 10 sources. A search option is also available. Click Clear or clickto remove search parameters from the search field. The Source filter is populated based on the last 30 days of data. Source data is not dependent on the time selection.

  • Show: DNS Activity historical data report can be filtered by choosing an option from the Show drop-down menu, The following time values are supported:
    • 1 hour (default time period)
    • 24 hours
    • 48 hours
    • 7 days
    • 1 month
    • Custom (any time span can be selected from the past 60 days)

Image: The Date/Time calendar used to define a custom reporting period.  

Save: Click Save to save a created historical data report including the applied filter and data criteria. In the name field, input the name of the new DNS Activity historical data report. Once a name for the newly created, historical data report has been added, click Save & Close to save the report. You can verify the report's creation by clicking Load and viewing the list of created reports in the left-hand panel. Alternatively, you can choose to not save the report by clicking Cancel.  

 

You can verify the report's creation by clicking Load. The name of the newly created DNS Activity historical data report should be displayed on the list of reports in the left-hand pane of the report window. 




  • No labels