We recently enabled some telemetry on our CbR agents. This means we now receive type:netconn events.
A netconn event turns out to be a kind of a mix of dns/domain and traffic sourcetype. Everything is tagged for the Traffic DM.
So we added an alias to map the "domain" field from the netconn event as "query" and tagged the netconn events containing a "domain" value with the correct Network Resolution constraint tags; and voilá, Network Resolution DM gets populated. Threat Activity works.
But that made me look at the other fields....and....obvious aliases are missing and even plain wrong in some cases
Some quick examples:
Consider the following "dns" events:
index="carbonblack" sourcetype="bit9:carbonblack:json" netconn AND NOT domain=""
These are with a direction=outbound. Setting aside that they are not tagged for Network Resolution by default (one could argue this is kind of correct), some aliases are missing, such as src_ip and src_port even though they are part of the raw log. Technically we don't need them for neither the DNS DM or the Traffic DM, but there is no reason not to have them.
That's a minor issue and fixable.
However, looking at netconn inbound events is where the the whole thing is a mess:
index=carbonblack sourcetype=bit9:carbonblack:json event_type=netconn AND direction=inbound
Here the aliases have not been flipped to account for the direction being inbound. remote_* values in the raw log are being aliased to "dest_*". Since this is an INBOUND event, the mapping should of course be remote_* -> src_* and local_* -> dest_*, since the local machine is the destination.
Can anyone confirm that this is what they also are seeing?
We plan on fixing this ourselves, but we feel that this should be fixed by the TA dev's, because there are a lot of changes that need to be done.