The Client activity screen displays information about DNS queries made from a specified source IP address. From this page, you can analyze DNS query behaviour from this source IP address by reviewing the queries that occurred before or after the selected query. You can use this information to trace the path of potentially malicious behaviour. For example, if the source IP visits a known malicious site and you see a quick succession of queries to internal domains, the behavior indicates that you might need to investigate those internal domains for signs of compromise.
Viewing DNS client activity
- In the BlueCat Edge window, click .
- Select the DNS Activity or Threat Activity tab.
- Select a suspicious query entry to display the DNS query details page.
- Click Inspect Client Activity.
In the Client activity page, you can click select other queries from the same source IP address to review the query details.
Click the time frame box to indicate the time frame to return queries from this source IP address. By default, queries that occurred within 2 minutes after the selected query are displayed. You can return queries that were logged within a time frame by specifying the number of days, hours, minutes, and seconds that have elapsed before or after the current query was logged.
Click to filter the query data based on additional parameters:- Site: Sets the data filter for the specified site name.
- Query Name: Sets the data filter for the specified query name.
- Query Type: Sets the data filter for the specified query type.
- Response Code: Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
- Policy Name: Sets the data filter for the specified policy name.
- Policy Action: Sets the data filter for the specified policy action (Block, Monitor, Allow, Redirect, None).
- Threat Type: Sets the data filter for the specified threat type (DGA, Tunneling).
- Threat Indicator: Sets the data filter for the specified threat indicator (Entropy, Host Size, Suspect DNS, Suspect TLD, Uncommon Rec, Unique Char, Vol Tunnel).
- Protocol: Sets the data filter for the specified query protocol (TCP, UDP).
- Namespace: Sets the data filter for the specified namespace.
- User ID: Sets the data filter for the specified User ID that initiated the DNS query. The User ID information is only returned when you enable the Add identity information to queries option on a site. For more information, refer to Creating a site.
Click to download a CSV file containing detailed query log information about the Client Activity based on the selected filters. The CSV file contains up to 10,000 queries.Note: If a query contains multiple Answer and Authority records, only the first five of each record are returned. However, the CSV file displays the total count of Answer and Authority records for each query.