Detection of stealthy events

Thuan · ‎01-08-2014

On security issues, there are high intensity events - scanning - and low-intensity (or stealthy) events - periodic or not - that take place say once every few days. The high intensity can be detected quite easily. The question has to do with low or very low frequency events. The transaction command allows maxpsan parameter. Is there some way to define a minspan = x hours/days, with the intent to detect recurring events that exceed a given time interval measure in hour/day?

Thuan · ‎01-08-2014

One case of stealthy events is data exfiltration via HTTP. One possible common thread is one a pair of source and destination IP, or even a destination subnet. The gap between any two such exfiltration activities may be days.

kristian_kolb · ‎01-08-2014

transaction does not have such a parameter. Also, searching for long-running transactions can be very computationally 'expensive'.

However you can maybe have some success with the rare command, e.g.;

sourcetype=logins status=failed src_ip!=10.* | rare src_ip

Which would give you the least common src_ip's that failed to authenticate from an external IP address. It all depends on your use cases, what logs you have and what your are looking for. More detailed examples, perhaps with sample events, would allow for more precise advice.

/k

Thuan · ‎01-08-2014

One case of stealthy events is data exfiltration via HTTP. One possible common thread is one a pair of source and destination IP, or even a destination subnet. The gap between any two such exfiltration activities may be days. Any idea how this can be achieved?

Detection of stealthy events

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...