BlogA network diagram doesn't have to be a stale representation of device connections. With an activity map in the ExtraHop system, you can create captivating, dynamic displays of the device connections across your network. But the eye-catching features of an activity map can also be a powerful tool. With vibrant colors as your guide, you can compare device connections within a map to learn when connections appear.
Comparing data from two different time intervals in the same map or chart is referred to as a delta comparison in the ExtraHop system. In this post, I'll show you how to apply a delta comparison in an activity map to monitor changes in connections and protocol activity.
Track New Connections
Let's continue from my previous blog post, I showed you how to apply group filters to an activity map to find a rogue DNS server on a network. Rogue devices are typically suspicious. When this type of device is discovered, you want to quickly understand who connected to this device, what type of transactions were happening, and how the activity changed over time.
Add a Delta Comparison to See What Changed
We can see in the map below that a device was sending DNS traffic to the rogue DNS server over the last 30 minutes. But who else has connected, and when?
Click the time interval in the upper right corner of the page and then click Compare. After selecting two time intervals, you immediately see some of the device connections illuminated in a different color.
Previous device connections or activity that only appeared in the earlier time interval are highlighted in a shade of red. In this case, we learned that an accounting device was also connected to this rogue server yesterday. That's alarming!
You can also make changes to the map while look at the delta of the time interval. If we want to see more devices connected to the rogue server, we can add a new step.
New device connections or activity from the more recent time interval are highlighted in a shade of green. Devices connections that did not change between the two time intervals are blue.
Now try a delta comparison with your map. If you have questions or ideas about activity maps, please share those with our community in the comment box below.
To learn more about activity maps, see the following topics:
