Anomaly reports for deep investigation

Anomaly reports for deep investigation

The Reports module in DDI Central provides time-bound, filterable insight into DNS and DHCP anomalies detected by the Anomaly Detection Engine. It enables users to visualize anomaly volumes, trend patterns, and drill into per-domain or per-entity details.

Accessing the reports module

  1. Log in to DDI Central.
  2. From the left navigation pane, go to Anomaly Detection and then select Reports.
  3. You will be taken to the Reports dashboard, which includes a selectable anomaly chart and a drill-down table.

At the top-right corner of the Reports page, you will find two key controls:

1. Report type selector

Located to the left of the date picker. You can choose between:

  • DNS — Displays DNS-related anomaly reports
  • DHCP — Displays DHCP-related anomaly reports

Click the dropdown menu. Select DNS or DHCP based on the type of anomalies you want to analyze.

2. Selecting the time window

Right beside the report type selector, you will find the date range picker.

Click the date field. Choose a start and end date. Confirm the selection. DDI Central will now load the charts and tables to reflect anomaly behavior only within that selected time range.

3. Understanding the anomaly chart (Top chart panel)

After selecting the report type and date range, DDI Central generates a visual chart showing:

  • Total anomaly count
  • Sliced distribution of anomalies across dates
  • Occurrence spikes and declines
  • Chart types available: Located on the chart’s top-right corner: Bar graph and line graph. You can toggle between these views based on your preference or investigative depth.

4. DNS anomaly reports

Once DNS is selected, the lower half of the page displays a DNS anomaly table along with DNS-specific filters. On the left side of the table, you have the Filter By dropdown. Below are all the DNS filter types and their purpose:

1. Domain:

Filters DNS anomalies for a specific domain name.

2. Client IP:

Filters DNS anomalies generated by a particular client IP address.

3. Records:

Filters based on DNS record types associated with the anomaly (A, SOA, PTR, TXT, etc.).

4. Anomaly:

Filters anomalies by anomaly category (e.g., DGA, Subdomain Enumeration, RCODE, Query Type anomalies).

5. Description:

Filters based on descriptive text associated with the anomaly. Specify a character or string of characters, and the report will search and list all domain entries whose description field contains that character or pattern. Useful for investigating patterns like “Domain flagged as DGA by ZIA” or “High REFUSED responses”.

6. Score:

Filters anomalies based on risk score (0—100).

7. Cluster:

Filters anomalies that originated from a specific DDI Central cluster or site.

How DNS reports filtering works:

  • Choose any filter type.
  • Enter or select the value (e.g., domain name, client IP).
  • DDI Central auto-updates the report table based on the filter.
  • Use "Clear Filter" to reset.
 
 
 
 
 
 

DNS anomaly table interpretation

The DNS anomaly table contains the following columns:

  • Domain — Domain responsible for the anomaly
  • Client IP — Requesting client
  • Queries — Number of queries made
  • Records — Associated record types
  • Anomalies — Category of anomaly
  • Description — Explanation of why it was flagged
  • Score — Risk score
  • Time — Timestamp of anomaly event
  • Cluster - Source Site/Node/Branch that processed the event

Each entry includes a hyperlink (e.g., domain, entities) which opens deeper investigation details.

5. DHCP anomaly reports

Switch the report type to DHCP to view DHCP-specific anomaly visualizations and filters.

The DHCP anomaly chart displays:

  • Hourly spikes
  • Volume changes
  • DHCP-specific anomaly occurrences (e.g., Excessive IAID, Duplicate IAID, Exhaustion patterns)

DHCP filter options

The Filter By dropdown for DHCP includes options tailored to DHCP investigation:

 
 
 
  1. DHCP Type: Filters anomalies by DHCP message type or category. Choose the DHCP service type (DHCPv4 / DHCPv6) to filter out the anomalies relevant to that category.
  2. Affected Entities: Filters by the list of subnets affected by an anomaly event. Affected entities represent the scope of the infrastructure impacted by the anomalous activity. Example: a subnet or a group of clients (MAC/DUIDs). In simple terms, the part of the network inside which the anomaly is happening.
  3. Conflicting Entities: Filters by entities or source actors triggering the anomaly (important for IAID or DUID conflict anomalies). Conflicting entities represent the exact clients, MACs, or IPs responsible for creating the abnormal behavior.
  4. Anomaly: Filters by anomaly category (e.g., Excessive IAIDs, Duplicate IAID, Lease Churn, DHCP Starvation indicators).
  5. Description: Filters based on DHCP anomaly explanation text.
  6. Score: Filters events by anomaly risk score.
  7. Cluster: Filters anomalies by the node/worker responsible for processing DHCP activity.

DHCP anomaly table interpretation

DHCP report table features the following labels:

  • Affected Entities — List of affected devices or IPs. Usually hyperlinked if multiple entries are featured. Click on it to know the other entities. Click on each single entry (for example, for a subnet) and a single click can open a fresh tab displaying the DHCP lease table for that subnet.
  • Conflicting Entities — Devices/IPs causing the anomaly. Usually hyperlinked to give a detailed view. This may include:
    • A single misbehaving MAC address/DUIDs
    • A set of multiple clients
    • Hosts making conflicting requests
    • Devices requesting conflicting IPs

    Affected Entities = Target objects impacted
    Conflicting Entities = Source actors causing the anomaly

  • Anomaly — Type/category of DHCP anomaly
  • Description — Event explanation (e.g., “Duplicate IAID detected across 17 DUIDs”)
  • Score — Severity or risk score as determined by the Anomaly Detection engine
  • Time — The precise timestamp when an anomaly was detected

Entries with hyperlinks here lead directly to entity-level breakdowns for deeper investigation.

Exporting Reports

Icons on the top-right of the charts allow exporting in:

  • PDF
  • CSV format

Useful for audits, SOC teams, and operational reporting.

Click "Clear Filter" on the top-right of the filter bar to reset all active filters and return to the complete dataset.

Anomaly report retention in DDI Central

Anomaly report retention settings in DDI Central

DDI Central enables administrators to define how long anomaly reports are retained within the UI. You can choose retention periods ranging from 30 days to 3 years, ensuring that historical DNS and DHCP anomaly data remains available for audits, investigations, and long-term trend analysis. This gives teams the flexibility to balance storage lifecycle needs with operational visibility requirements.