DDI Central Dynamic Threat Intelligence dashboard walkthrough

The Dynamic Threat Intelligence Dashboard in DDI Central provides a centralized visual summary of real-time DNS-layer threats flagged by integrated live threat feeds from various vendors including the default feeds from ManageEngine CloudDNS. It helps admins identify infected devices, malicious domains, threat categories, and severity levels with clarity. Below is a step-by-step guide to understanding the dashboard's key elements in the order of interface layout:

1. Threat Overview and Hourly Hits

Threat Overview and Hourly Hits dashboard screenshot
  • Total Threats: The total number of DNS requests flagged as threats for the selected day.
  • Threats per Hour: Real-time rate of threat detection, indicating overall traffic risk level.
  • Summary Panel:
    • Affected Hosts: Number of unique endpoints flagged.
    • Threat Categories: Number of unique threat types detected.
  • Hourly Threat Graph: Shows threat hits over time; useful for identifying peak threat activity windows.
  • Top 5 Threats (Table + Pie Chart):
    • Shows the most frequent malicious domains or MAC addresses targeted from the internal network.

2. Affected Hosts and Threat sources

Affected Hosts and Threat Sources dashboard screenshot
  • Top 5 Affected Hosts:
    • The left panel lists internal IPs with the highest number of blocked queries to malicious domains.
    • The Pie chart on the right enables admins to visualize proportion of threats per IP.
  • Top 5 Threat Sources:
    • The left panel lists domains identified in the threat feed that internal devices attempted to contact.
    • Pie chart on the right helps visualize the distribution of source domains (e.g., phishing domains, C2 servers).

3. Threat Categories and Record type

Threat Categories and Record Type dashboard screenshot
  • Top 5 Threat Categories:
    • Breaks down threats by nature—e.g., phishing URLs, detection patterns, injection exploits.
    • Helps teams prioritize response based on type of threat.
  • Threat Record Type:
    • Displays the DNS record type most targeted in these threat queries (e.g., A records).
    • In this example, 100% of hits are on A records, indicating direct domain-to-IP resolution attempts.

4. Threat Confidence Scores

Threat Confidence Scores dashboard screenshot
  • Threat Confidence Distribution:
    • Shows count of threats by confidence scores—Critical (90-100), High (75-90), and Medium (50-75).
    • This helps admins prioritize incidents based on threat credibility.
  • Top 5 Threats by Confidence:
    • Quantifies and visualizes the most common confidence-rated threats.
    • Important for incident response teams to act first on "Critical" hits.

Additional notes:

  • Date Filter: Each dashboard includes a date selector to review historical threat behavior.
  • Pie and Bar Charts: All charts support format toggle (bar, line, pie) for flexible analysis.
  • Role of Feeds: The insights are built from curated feeds automatically updated from partnered threat intel vendors.
  • Automation: IPs contacting flagged domains are automatically isolated via ACLs to prevent further resolution.

This dashboard enables everyday network admins to not only observe threat activity in real time, but also trace back affected hosts and react to high-confidence threats with speed and precision.