This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Sorting out generic website fw rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sorting out generic website fw rules

DragomirGaliaIT
L1 Bithead

‎05-22-2023 12:30 AM

Hey everyone,

We are trying to sort out generic firewall alerts that we get as the incidents.

Currently, when there's site blocked that someone browsed through, we get the incident to check for it.

I would like to implement some correlation rule that will only trigger alert for suspicious ad/website when there are more than 1 connection, especially established one, and not to give alert if there's one blocked connection.
So if someone for example has one blocked connection to the site that is suspicious, but other one is established, that would also be alert and incident to check.

Any ideas on how to complete that?

BR,

Dragomir.

0 Likes Likes
2 REPLIES 2

anlynch
L4 Transporter

‎05-23-2023 06:33 PM

Hi @DragomirGaliaIT,

 

Thanks for reaching out through LIVEcommunity!

 

I'm going to do some research on this and get back to you.

DragomirGaliaIT
L1 Bithead

‎05-26-2023 01:45 AM

Any update @anlynch . I've did something similar in this rule, don't know if this can help you out:

/*
Query finds the last connection of a suspicious domain and then displays all connections 5 minutes prior and 10 seconds after the connection to a suspicious domain.
Fields AGENT and DOMAIN are mandatory.
You may change variables minutes_before_connection and seconds_after_connection to include more or less results around the connection.

Last connection time used to filter for results is based both on established connections and dns queries.
*/


dataset = xdr_data
| filter agent_hostname = "AGENT" // <-- Agent that you are investigating
| alter suspicious_domain = "DOMAIN" // <-- Domain that caused the alert
| alter minutes_before_connection = 5
| alter seconds_after_connection = 10
| filter action_external_hostname != null or dns_query_name != null
| join type = inner (
dataset = xdr_data
| alter domain = if(action_external_hostname != null, action_external_hostname, dns_query_name != null, dns_query_name, null)
| filter domain != null and agent_hostname != null
| comp max(_time) as last_visit by domain, agent_hostname
) as X _time <= X.last_visit and X.domain = suspicious_domain and X.agent_hostname = agent_hostname
| filter
timestamp_diff(last_visit, _time, "MINUTE") <= minutes_before_connection and
timestamp_diff(_time, last_visit, "SECOND") <= seconds_after_connection
| fields
_time,
actor_process_image_name,
actor_process_image_command_line,
action_external_hostname as established_connection,
dns_query_name as dns_query,
_product
| sort desc _time

As description shows, it is used to tell us number of connection before and after generic alert and incident. If this can help you, it's great.

0 Likes Likes
  • 1094 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks