Splunk Enterprise Security

How to write a Splunk alert to find malicious C2 traffic using Cisco IPS logs

sivasankarketin
New Member

Guys,

Any idea of writing a splunk query to find the malicious command and control traffic using Cisco IPS logs.
We have forwarded cisco cws and cisco IPS logs to splunk.

Thanks in advance.

Siva

0 Karma

lakshman239
Influencer

Have you looked at

https://www.splunk.com/en_us/resources/videos/splunk-for-security-investigation-command-and-control-...
https://www.splunk.com/blog/2018/06/07/command-and-control-detecting-the-hidden-threat-before-it-s-t...

Enterprise Content app has searches for detecting C2 traffic. https://splunkbase.splunk.com/app/3449/

You can map the IPS logs on to Network_Traffic datamodel and you can look for C2 traffic (for specific IRC ports etc.. using the IPS logs. The ES content app has sample searches which you can change as per your index/sourcetype/data source.

0 Karma

oolorunl
New Member

If you have a database of malicoius iP that need to be driven in your ESM tool to create logging on step six on the kill chain model.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...