Guys,
Any idea of writing a splunk query to find the malicious command and control traffic using Cisco IPS logs.
We have forwarded cisco cws and cisco IPS logs to splunk.
Thanks in advance.
Siva
Have you looked at
https://www.splunk.com/en_us/resources/videos/splunk-for-security-investigation-command-and-control-...
https://www.splunk.com/blog/2018/06/07/command-and-control-detecting-the-hidden-threat-before-it-s-t...
Enterprise Content app has searches for detecting C2 traffic. https://splunkbase.splunk.com/app/3449/
You can map the IPS logs on to Network_Traffic datamodel and you can look for C2 traffic (for specific IRC ports etc.. using the IPS logs. The ES content app has sample searches which you can change as per your index/sourcetype/data source.
If you have a database of malicoius iP that need to be driven in your ESM tool to create logging on step six on the kill chain model.