Creating Widgets in DNIF Using Threat Intelligence Feeds
DNIF helps you analyze log data efficiently, highlighting anomalies and generating alerts the moment an anomaly starts to pose a threat. With the help of enrichment plugins, DNIF can detect and investigate malware and provide additional information with respect to the network traffic. You can also create widgets and dashboards to better visualize your data.
Would you like to create your own custom widgets in DNIF? In this post, we’ll show you how to do just that.
Creating a custom widget
From the DNIF console, you can make a widget out of any query, like the one shown here.
_fetch * from event where $Intel=True AND $Duration=24h group count_unique $SrcIP, $SrcCN, $SrcLOC limit 10
In this particular query, we use the $Intel=True parameter to include the enriched data set in the logs. We also specify a duration to fetch data from the past 24 hours only. We choose to group entries by source IP, source country and source location. Using count_unique, we instruct DNIF to display the number of events associated with each combination of an IP address, country and location, and we limit the results to the 10 most common combinations
After DNIF fetches the data we requested, we can create a widget by opening the action menu and choosing the Create Widget option. The action menu is located in the upper right corner of the results area.
Choose the package in which you wish to create the widget. A pie chart appears, summarizing the query results.
In addition to pie charts, DNIF offers several other visualization options for widgets. These include line graphs, geographical maps, vertical and horizontal bar graphs, pyramids and so on.
Any one of the three fields chosen for grouping the results can be set as the variable summarized in the widget. If you wish, you can add a second variable to the summary. You can use this feature to break down data in pie charts, as shown in the following screenshot. Here, the source country is set as the primary variable, and the source IP is set as the secondary variable, grouping the IP addresses by their associated countries.
You can gain additional insights by adding contextual information to a widget. In this example, we add a query to fetch the destination IP and port to the contextual information for this chart.
After doing so, right-clicking a value in the widget displays the results of the query for that particular value. DNIF shows the results of the context query in a new tab on the console.
Geographical maps are another useful way to display data in DNIF widgets. Using the previous example, if we set the chart type to GeoMap and set the primary variable to
$SrcCN, the widget will highlight countries on a map from which malicious traffic has been received.
If source locations are also available, they can be displayed on another map by setting $SrcLOC as the primary variable.
You can even create a dashboard of related widgets. For example, you might create a series of widgets that are all related to a particular network, application or threat intel source. The resulting dashboard would offer a consolidated view of all the events taking place in your environment.