2017-06-26 08:27 PM
Hi Everyone,
I'm not sure if it's possible, but what I'd like to do is generate an IIOC alert when a machines score goes over a certain number (in our case it's 100).
I know how to create an alert in NetWitness based on generated meta, what I'd like to know is how to create an IIOC in ECAT to generate that meta if a machine goes over 100.
I could be mistaken and this isn't possible.
Anyone have any ideas and pointers to documentation that may help.
2017-06-27 05:29 AM
Can you explain the driver for alerting when a machine score goes over 100? I don't think you are going to see much value in that, unless you have a one-off use case for this. It is pretty normal for machines to have a score well over 100 with nothing suspicious at all going on. If you wanted to hit a good breakpoint I would say go to 129, since that will only give you machines with L1 IIOC's. But still you'll find a majority of the machines with that score still have nothing malicious/suspicious.
I would recommend picking high fidelity IIOC's that line up with what you are trying to detect and alerting on those. For example, Unsigned, hidden, appdata\local is a pretty good one to find trojans. The powershell ones are all pretty good too.
There was an issue with alerting on IIOC's other than machine category IIOC's in versions prior than 4.3.0.4, so you'll want to upgrade if you haven't already.
Now I'll get off my soapbox and answer your question.
SELECT DISTINCT
FK_Machines AS [FK_Machines],
NULL AS [FK_MachineModulePaths]
FROM
(SELECT
MI.FK_Machines,
CASE WHEN MI.IOCLevel0 > 0 THEN 1024
ELSE
((CASE WHEN MI.IOCLevel1 > 7 THEN 7 ELSE MI.IOCLevel1 END) * 128 +
(CASE WHEN MI.IOCLevel2 > 15 THEN 15 ELSE MI.IOCLevel2 END) * 8 +
(CASE WHEN MI.IOCLevel3 > 7 THEN 7 ELSE MI.IOCLevel3 END))
END AS IIOCScore
FROM
dbo.MachineIOC AS MI WITH(NOLOCK)
INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = MI.FK_Machines
) mytable
WHERE IIOCScore >= 128 --Set Desired IIoC Machine Score here
2017-06-28 06:58 PM
100 was just an arbitrary number that we had chosen as a starting point to alert if something had deviated from the norm. If 129 is more appropriate than we'll heed your advice on that one.
We are looking at other IIOCS like unsigned in temp locations, PowerShell etc. This was just the first one to tackle we thought of as a use case to get alerting properly configured within ECAT/NetWitness.
Thanks.