I leverage many sources to get ideas around spotting anomalies in an environment. One of the sources I leverage comes from the following Twitter account: Jack Crook (@jackcr). @Jackcr provides many ideas around methods and approaches to separate known from unknown or common from rare.
This post inspired me to see if something similar could be implemented using RSA NetWitness Platform.
https://twitter.com/jackcr/status/993561834375598080
The basis for the report was to look for outbound communications where a domain only has one useragent accessing it (over a period of time) and that useragent contains 'mozilla'.
After a few tests in the lab this was the rule that was developed.
name: "DomainsWithOneUserAgent(1)"
description: ""
path_for_export: "rsa-custom/rareUaDomain/DomainsWithOneUserAgent(1)"
query {
data_source_type: NWDB
netwitness_query {
select: "alias.host,countdistinct(client),distinct(client),org.dst,countdistinct(ip.src)"
where: "alias.host exists && client exists && direction = \'outbound\' && client contains \'mozilla\'"
group_by_keys: "AGGREGATE"
order_by_keys {
column_name: "countdistinct(client)"
sort_order: ASCENDING
}
order_by_keys {
column_name: "alias.host"
sort_order: ASCENDING
}
limit_results_count: 100
then_clause: "max_threshold(1,countdistinct(client))"
agg_session_threshold: 0
group_by: "alias.host"
group_by: "org.dst"
alias_names: ""
}
data_source_name: ""
}We limit the returned results to top 100, and looking for results that have a max threshold for count(distinct(client)) of 1 to limit to domains that have only one unique domain accessing it over the reporting time frame.
Results look like this (lab results)
The report is included at the github link below. As always, I'm curious to see how this tested on a larger network to see validity and if tweaks are necessary. If you have any feedback please let me know.
GitHub - epartington/rsa_nw_re_useragent_domain_rare
Feedback always appreciated
Happy Hunting
1 Comment
