Anomaly Detection- The Insights dashboard
The Insights Dashboard is the first and most critical touchpoint inside DDI Central’s Anomaly Detection module. DNS and DHCP anomalies
The Insights dashboard serves as a real-time command center for anomaly management. It presents both high-level summaries and granular visual analytics of detected anomalies within the selected time range.
Here, it provides a consolidated view of all DNS-based, DHCP-based, and specialized Zoho’s AI engine ZIA-inferred DGA anomalies observed across your entire network infrastructure—across all sites and clusters into one visual workspace without toggling between different tools or modules.
Note: The Anomaly Detection engine begins streaming intelligence the moment traffic enters the system—DNS queries at any resolver and DHCP activity at any DHCP server across any cluster managed by DDI Central. Each packet is evaluated in real time, allowing the Insights dashboard to surface actionable signals instantly as traffic flows through the infrastructure.
Let’s explore how to access the dashboard, interpret each panel, and understand why each insight matters.
Accessing the insights dashboard
To access the Anomaly Detection module’s Insights dashboard:
- Log in to your DDI Central account.
- From the left navigation panel, select “Anomaly Detection” and then click on the “Insights” icon at the top.
- The Insights dashboard opens.
You will now see the unified anomaly overview for the selected date range.
Understanding the insights dashboard layout
The dashboard is composed of several panels. Each section reveals a different dimension of network health.
Panel 1: Anomalies summary panel
This section is the entry point of the Insights dashboard. It provides a real-time snapshot of how many anomalies your DNS and DHCP ecosystem is generating and how they break down by severity.
What you see
Anomalies Panel (Left)
- Total anomalies detected in the selected time window
- Anomalies per hour, indicating the rate of suspicious activity
- Breakdown across DNS and DHCP anomalies
This instantly tells you whether the network is experiencing normal, elevated, or abnormal anomaly load.
Summary Panel (Right)
Two donut charts representing:
- DNS anomaly severity distribution
- DHCP anomaly severity distribution
Each category is color-coded:
Green = Low, Yellow = Medium, Orange = High, Red = Critical
Hovering shows exact counts and percentage contribution.
Severity stratification in DDI Central
DDI Central assigns a severity score to every detected anomaly to help teams understand its potential impact at a glance. The same anomaly category can produce varying scores depending on the strength, frequency, and behavioral pattern of the signals observed. Likewise, a single suspicious domain may be flagged across multiple anomaly categories—such as DGA, tunneling, or suspicious TLDs—which compounds its overall risk score and elevates its severity.
To standardize interpretation, DDI Central classifies anomalies into four severity bands:
| Score range | Severity band in DDI Central |
|---|
| 0—20 | Low |
| 21—50 | Medium |
| 51—80 | High |
| 81—100 | Critical |
This stratification enables admins and leaders to prioritize investigation with clear, quantifiable thresholds—ensuring that high-risk patterns stand out immediately for rapid validation and response.
What admins can infer
When admins hover through these:
- Whether DNS or DHCP is contributing more to the anomaly load
- How many anomalies require urgent attention (High + Critical)
- Whether severity is clustered (e.g., many critical DHCP anomalies) or evenly spread
- Whether there is a sudden anomaly spike indicating a possible attack, misconfiguration, or service instability
This gives admins an immediate understanding of system stress and risk posture.
Why it matters
This section acts as the command center for anomaly triage. It gives:
- Admins a real-time fingerprint of system behavior
- CXOs a high-level threat posture snapshot
It ensures teams know how bad things are, where the issues lie, and what needs attention first, all before diving into deeper anomaly categories.
Panel 2: Anomaly trend line panel
What you see
A timeline graph displays anomaly occurrences over the chosen time window. You can:
- Hover over data points to see daily counts and anomaly types.
- Identify spikes that correlate with events like configuration updates, firmware changes, or network attacks.
This visual context allows administrators to correlate anomalies with operational changes, helping them proactively adjust configurations or security rules.
What admins can infer
- If anomalies are trending upward (sign of brewing instability).
- If a sudden spike correlates with:
- A configuration change
- A compromised device
- A flood of malicious domains
- DHCP misbehavior (duplicate DUID, starvation attempts)
Why it matters
Time-based drift reveals “silent buildup” patterns that may lead to outages or security incidents.
Panel 3. Top DNS anomalies list
What you see
The Top DNS Anomalies panel provides a consolidated view of the five most frequently occurring DNS-level irregularities detected within the selected time frame. It presents both a tabular summary (on the left) and a visual chart representation (on the right) for quick comparison and contextual understanding.
Top DNS anomalies list (left)
Each category is hyperlinked for deeper investigation, providing a deep dive into categorical anomaly reports like:
- DGA
- Subdomain Enumeration
- Query Type anomalies and more
This report view lists affected clients, domains, timestamps, and contextual information about each detected event. The expanded report view helps you identify which specific endpoints, users, or DNS zones are contributing to the chosen anomaly type.
What admins can infer
- Which threat pattern dominates (e.g., DGA → malware behavior).
- How aggressively enumeration or scanning activity is happening.
- Whether suspicious query types (TXT-heavy) hint at tunneling attempts.
Top DNS anomalies visualization (right)
Towards the right, a proportion-based visualization of DNS anomaly distribution within your whole infrastructure. This visual weighting helps non-technical decision-makers understand DNS risk signals instantly.
What admins can infer
- The relative weight of each DNS anomaly.
- Whether a single anomaly type dominates.
- If unusual shifts occur in DNS threat patterns.
Panel 4: Top DHCP anomalies
What you see
The left end of the panel features the cccurrence counts for top 5 DHCP anomaly types discovered in your infrastructure by the Anomaly detection engine:
- Subnet Starvation
- Duplicate DUID
- Duplicate IAID
- Rapid Lease, Stale Lease, etc.
The right side of the panel a visual distribution of DHCP anomaly types. Each anomaly type includes occurrence counts and is mirrored by a color-coded pie/area/bar/line chart, providing instant clarity on the dominant causes of DHCP instability or misconfiguration.
This view helps admins to know which anomaly is stressing the DHCP infrastructure most, whether exhaustion-based attacks are underway or if a DA (distributed attack) is present across multiple clusters.
Each anomaly category on the left is hyperlinked, allowing admins to drill down into that specific category for deeper investigation.
The report view lists all affected and conflicting entities, including detailed descriptions, severity scores, precise timestamps, and the source cluster where the anomaly was detected for the selected time window in the Insights dashboard.
Clicking on any anomaly opens an expanded report view that reveals the exact endpoints, IPs, or subnets contributing to that anomaly type—providing the full context needed for accurate validation and troubleshooting.
What admins can infer
- Whether DHCP pool exhaustion is imminent.
- Which devices may be causing churn.
- Whether rogue devices are attempting starvation attacks.
Why it matters
DHCP instability can disrupt entire network segments, causing service outages.
Panel 5: Top flagged domains list
What you see
Lists the most frequently hit suspicious domains that triggered anomaly flags, ranked by severity or query count. Each domain is hyperlinked for drill-down, giving admins full attribution back to the source for faster troubleshooting—whether it’s a single domain or a family of related domains. The drill-down view reveals the queries made to that domain, the IPs that queried it, and the exact record types involved.
While the multi-view analytics on the right helps in visualizing the query volumes of suspicious domains, admins can quickly learn the risky domains dominating the DNS traffic.
For example, frequent hits to suspicious domains (e.g., dynamically generated or phishing-related) are prioritized for further investigation.
What admins can infer
- Which domains were repeatedly queried (often malware C2 servers).
- Whether internal devices are beaconing out.
- If repeated traffic comes from a single compromised client.
Why it matters
Frequent hits to unknown or generated domains usually suggest infection.
Panel 6: Top 5 Domains ranked by severity
What you see
The Top 5 Domains Ranked by Severity section helps admins immediately identify the highest-risk destinations observed within DNS traffic. These domains often correlate with malware callbacks, DGA activity, data exfiltration attempts, or reconnaissance.
The panel consists of two parts:
The list on the left features the top five domains with the highest anomaly severity score. Each row includes:
- Domain name (hyperlinked to drill deeper)
- Severity Score (e.g., 100 = Critical)
- Severity Category (Low / Medium / High / Critical)
Multi-view analytics charts on the right plot:
- Each of the top five domains
- Their corresponding severity score
- A visual representation of how severe those domains are
This gives you both a tabular and visual confirmation of the threat landscape.
Each domain name in the left list is hyperlinked. Clicking it redirects the admin to the DNS Reports view, fully filtered for that specific domain, giving a deep drill-down with complete attribution for the anomalous domain.
Here, the admin can see:
- Total queries
- Query pattern by hour or minute
- Client IPs that queried the domain
- Number of affected hosts
- DNS record types involved (A, AAAA, SOA, TXT, etc.)
- Timestamp patterns
- Contextual anomaly descriptions
- Risk explanation pop-ups
This drill-down provides complete attribution for the domain.
Inside the domain-specific report:
- A list of IPs that queried the domain is shown
- Their query counts
- Query timing
- The record queried
- The source DNS server
This lets admins trace which endpoints or workloads are compromised, misconfigured, or probing external malicious resources. This answers “How far has the compromise spread?”
Within the detailed DNS analytics:
Admins can assess:
- Query frequency spikes (beaconing behavior)
- Consistent retry patterns
- Whether queries originate from one device or many
- Whether the domain’s structure resembles DGA activity
- Whether the hostname appears autogenerated
This step reveals the nature of the threat, not just its presence.
Why it matters
- Quickly highlights which domains demand immediate investigation.
- Provides instant drill-down for exact forensic context.
- Gives a clear, executive-level picture of threat exposure.
- Severity ranking simplifies prioritization and risk alignment.
Panel 7: Top 5 Queried domains
This section highlights the domains generating the highest query volume in your DNS infrastructure. High query volume isn’t always malicious — but when paired with anomaly signals, it becomes a powerful early indicator of misconfiguration, beaconing, enumeration, or exfiltration.
What You See
Query Volume Table (Left) lists the top five domains by total DNS queries observed during the selected timeframe. The no. of entries can be changed to the desired level.
Each entry shows:
- Domain name (hyperlinked for drill-down)
- Total query count (1.9K, 1.5K, etc.)
The panel features a variety of visualizations on the right showing:
- The proportion of total DNS traffic each domain contributes
- How heavily one domain dominates the ecosystem (e.g., 83.1%)
This shows whether traffic is balanced or heavily skewed toward specific hosts.
What Admins can infer
- Which domains attract the most traffic from internal clients
- Whether a single domain is generating an abnormal spike
- If query patterns match known malicious behaviors (e.g., repeated queries → beaconing)
- Whether traffic appears legitimate (e.g., cloudfunctions.net) or suspicious (e.g., random TLDs)
Admins can quickly distinguish routine operational traffic from anomalies needing deeper inspection.
Why it matters
This panel helps both admins and CXOs answer:
- "Which domains consume the most DNS activity?"
- "Is this normal behavior or an early breach signal?"
- "Are any internal systems over-querying suspicious domains?"
- "Do we need to quarantine an endpoint or domain?"
It turns raw query volume into operational intelligence that directly impacts network stability and security posture.
Panel 8: Top suspicious clients in DNS
What you see
The left panel (a) features a ranked list of client IPs that generated the highest number of DNS anomalies—DGA hits, suspicious TLD lookups, enumeration patterns, tunneling-like record activity, or rejected query behavior. The same is visually charted in the right panel (b).
Each client IP in the table (a) is hyperlinked. Clicking one automatically filters the entire DNS Reports module to show only traffic originating from that specific endpoint. This opens a fully scoped, client-centric view of:
- All suspicious domains or family of domains queried by that single host
- The anomaly tags attached (DGA, Enumeration, Windows-Specific, Tunneling, etc.)
- Time of occurrence and frequency
- All DNS record types served
- Domain risk descriptors
- Conflicting domains associated with the same query family
- Query volumes, hourly patterns, QPS values
- Total queries per domain
- Total queries per record type
- Total queries per IP (for multi-IP behavior or pivoting subnets)
This drill-down isolates the
entire DNS footprint of that endpoint in seconds.
Why it matters
This drill-down is where the admin transitions from surface-level anomaly detection to actionable forensic intelligence:
- Pinpoints the root cause quickly.
- Helps validate quarantines with proof.
- Helps identify false positives confidently.
- Enables targeted isolation instead of network-wide disruption.
- Creates a clear investigation trail.
Panel 9: Top suspicious clients in DHCP
What you see
Clients identified by MAC addresses/DUIDs exhibiting frequent anomalies.
What admins can infer
- Misbehaving devices causing lease churn or duplication.
- Rogue DHCP entities triggering artificial starvation.
- Clients with repeated boot retries or faulty DHCP stacks.
- Zeroes in on endpoint-level behavior within seconds.
- Correlates MAC/DUID identity with lease churn, duplicate identifiers, or rapid solicitations.
- Offers cluster-level visibility, revealing whether the issue is isolated or widespread.
- Converts raw DHCP anomalies into clear, actionable intelligence.
Why it matters
Preventing DHCP pool exhaustion attacks and address allocation instability is critical. Even a single misbehaving or malicious client can destabilize an entire subnet or site.
Each client represented by the respective MAC/DUID is hyperlinked for deeper investigation, providing a deep dive into DHCP reports filtered by the endpoint.
How Anomaly Insights dashboard helps validate auto-quarantine
DDI Central automatically:
- Quarantines suspicious domains → no internal device can resolve them
- Quarantines hosts → even if they reconnect on new IPs, they remain blocked
Admins can use the dashboard to:
- Validate whether each quarantine is justified
- Identify false positives
- Begin deep investigation by deep-diving into the relevant analytics in the Reports module
- Trace anomalies to their root causes (host, domain, subnet, record type)
Why do you need DDI Central's Anomaly Insights dashboard
The Insights dashboard doesn’t just display data — it transforms it into actionable intelligence.
✔ For Admins
- Pinpoints where to start the investigation
- Prioritizes root-cause analysis
- Correlates DNS & DHCP anomalies for multi-layer visibility
- Helps confirm which devices need remediation
✔ For CXOs
- Offers a real-time cybersecurity posture snapshot
- Simplifies communication of risk status
- Demonstrates compliance readiness
- Shows how DDI Central provides defense-in-depth security
Best practice tips
- Review anomalies daily to detect new or recurring patterns.
- Investigate DGA anomalies first, as they often signal active malware communication.
- Use the export option (top-right of the Insights dashboard) to save anomaly data for auditing or correlation with firewall/endpoint logs.
- Compare visualization types regularly — Pie for distribution, Bar for scale, and Table for operational review.
- You can define a custom time window at the top of the Insights dashboard to narrow your analysis to a specific period.
- Once the data is loaded, click the “Export as PDF” icon at the top-right corner to save or share the anomaly report.
This export feature is ideal for:
- Weekly or monthly audit documentation.
- Compliance reporting.
- Sharing with network security or SOC teams.