Closed fabriziosalmi closed 9 months ago
Got it. If you only have FQDNs (fully qualified domain names) and not IP addresses, then the approach becomes slightly simpler. Still, the underlying concept remains mostly the same.
Here's a revised approach:
Choosing a Time Series Database:
Storing Data:
Analysis:
SELECT fqdn, COUNT(*)
FROM blacklist
WHERE time BETWEEN now() - interval '1 month' AND now()
GROUP BY fqdn
HAVING COUNT(*) > 1;
This query would give you domains blacklisted more than once in the past month.
Using ELK Stack:
Actionable Insights:
Maintenance:
Given you only have FQDNs, you can opt for either the TSDB approach or the ELK stack. Both have their merits:
TSDB is great if you're focusing on time-based patterns. It's optimized for storing and querying time series data.
ELK Stack offers powerful search and visualization capabilities. If you anticipate needing more advanced data analysis, visualizations, or the ability to integrate with other logs or data sources, ELK might be a better fit.
Both approaches allow you to identify domains that frequently appear on the blacklist, which seems to be a primary concern.
Using a time series database (TSDB) to track domain blacklisting over time can be a good idea. TSDBs are optimized for handling time-stamped data. However, the use case you mentioned might be better handled by a combination of TSDB and a relational database or a specialized solution like an ELK (Elasticsearch, Logstash, Kibana) stack.
Here's a general approach:
Choosing a Time Series Database:
Storing Data:
Analysis:
Using ELK Stack:
For your use case, every time you receive a new blacklist file:
Actionable Insights:
Maintenance:
In conclusion, while a TSDB is an excellent tool for tracking time-series data, the nature of your use case suggests that you might benefit more from a combination of databases or using tools like the ELK stack. This way, you'll have both the time-based tracking and the relational analysis capabilities you're seeking.