Sorting out generic website fw rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sorting out generic website fw rules

L1 Bithead

Hey everyone,

We are trying to sort out generic firewall alerts that we get as the incidents.

Currently, when there's site blocked that someone browsed through, we get the incident to check for it.

I would like to implement some correlation rule that will only trigger alert for suspicious ad/website when there are more than 1 connection, especially established one, and not to give alert if there's one blocked connection.
So if someone for example has one blocked connection to the site that is suspicious, but other one is established, that would also be alert and incident to check.

Any ideas on how to complete that?

BR,

Dragomir.

2 REPLIES 2

L4 Transporter

Hi @DragomirGaliaIT,

 

Thanks for reaching out through LIVEcommunity!

 

I'm going to do some research on this and get back to you.

L1 Bithead

Any update @anlynch . I've did something similar in this rule, don't know if this can help you out:

/*
Query finds the last connection of a suspicious domain and then displays all connections 5 minutes prior and 10 seconds after the connection to a suspicious domain.
Fields AGENT and DOMAIN are mandatory.
You may change variables minutes_before_connection and seconds_after_connection to include more or less results around the connection.

Last connection time used to filter for results is based both on established connections and dns queries.
*/


dataset = xdr_data
| filter agent_hostname = "AGENT" // <-- Agent that you are investigating
| alter suspicious_domain = "DOMAIN" // <-- Domain that caused the alert
| alter minutes_before_connection = 5
| alter seconds_after_connection = 10
| filter action_external_hostname != null or dns_query_name != null
| join type = inner (
dataset = xdr_data
| alter domain = if(action_external_hostname != null, action_external_hostname, dns_query_name != null, dns_query_name, null)
| filter domain != null and agent_hostname != null
| comp max(_time) as last_visit by domain, agent_hostname
) as X _time <= X.last_visit and X.domain = suspicious_domain and X.agent_hostname = agent_hostname
| filter
timestamp_diff(last_visit, _time, "MINUTE") <= minutes_before_connection and
timestamp_diff(_time, last_visit, "SECOND") <= seconds_after_connection
| fields
_time,
actor_process_image_name,
actor_process_image_command_line,
action_external_hostname as established_connection,
dns_query_name as dns_query,
_product
| sort desc _time

As description shows, it is used to tell us number of connection before and after generic alert and incident. If this can help you, it's great.

  • 804 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!