I leverage many sources to get ideas around spotting anomalies in an environment. One of the sources I leverage comes from the following Twitter account: Jack Crook (@jackcr). @Jackcr provides many ideas around methods and approaches to separate known from unknown or common from rare.
This post inspired me to see if something similar could be implemented using RSA NetWitness Platform.
We limit the returned results to top 100, and looking for results that have a max threshold for count(distinct(client)) of 1 to limit to domains that have only one unique domain accessing it over the reporting time frame.
Results look like this (lab results)
The report is included at the github link below. As always, I'm curious to see how this tested on a larger network to see validity and if tweaks are necessary. If you have any feedback please let me know.