Also available as:

Using Zeppelin to Analyze Data

Zeppelin enables you to analyze the enriched telemetry information Metron archives in HDFS.

The following example guides you through using Zeppelin to perform different types of analyses on the Bro telemetry information to discover a potential issue.

  1. Bro produces data about a number of different network protocols. View which types of protocols exist in the data.

    Figure 4.2. Bro Protocols

  2. View when Bro telemetry information was received.

    You can check for any odd gaps and fluctuating periods of high and low activity.


    If there is not enough data for this visualization to be interesting, let Metron consume more data before continuing.

    Figure 4.3. Bro Telemetry Received

  3. List the most active Bro hosts.

    Figure 4.4. Most Active Hosts

  4. List any DNS servers running on non-standard ports.

    Figure 4.5. DNS Servers

  5. List any mime types that could be concerning.

    Figure 4.6. Mime Types

  6. Explode the HTTP records.

    Each HTTP record can contain multiple mime types. These need to be 'exploded' to work with them properly.

    Figure 4.7. Exploded HTTP Records

  7. Determine where application/x-dosexec originated.

    Figure 4.8. Suspicious xdosexc

  8. Take a look at the requests for x-dosexc.

    Figure 4.9. x-dosexc Requests

  9. Determine when the interactions with the suspicious host are occurring.

    Figure 4.10. When Interactions Occur