Splunk Enterprise Security

How to write a Splunk alert to find malicious C2 traffic using Cisco IPS logs

sivasankarketin
New Member

Guys,

Any idea of writing a splunk query to find the malicious command and control traffic using Cisco IPS logs.
We have forwarded cisco cws and cisco IPS logs to splunk.

Thanks in advance.

Siva

0 Karma

lakshman239
Influencer

Have you looked at

https://www.splunk.com/en_us/resources/videos/splunk-for-security-investigation-command-and-control-...
https://www.splunk.com/blog/2018/06/07/command-and-control-detecting-the-hidden-threat-before-it-s-t...

Enterprise Content app has searches for detecting C2 traffic. https://splunkbase.splunk.com/app/3449/

You can map the IPS logs on to Network_Traffic datamodel and you can look for C2 traffic (for specific IRC ports etc.. using the IPS logs. The ES content app has sample searches which you can change as per your index/sourcetype/data source.

0 Karma

oolorunl
New Member

If you have a database of malicoius iP that need to be driven in your ESM tool to create logging on step six on the kill chain model.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...