Can someone please help me with this rule? I have been assigned to create a bunch of similar rules but I am struggling with a few, this is what I have so far...
========================================
Strategy Abstract
The strategy will function as follows:
Technical Context
This rule focuses on detecting abnormal outbound SMB traffic.
===============================================================================
SPL is generating 0 errors but also 0 matches.
| tstats summariesonly=true allow_old_summaries=true values(All_Traffic.dest_ip) as dest_ip dc(All_Traffic.dest_ip) as unique_dest_ips values(All_Traffic.dest_port) as dest_port values(All_Traffic.action) as action values(sourcetype) as sourcetype
from datamodel=Network_Traffic.All_Traffic
where (All_Traffic.src_ip [inputlookup internal_ranges.csv | table src_ip] OR NOT All_Traffic.dest_ip [ inputlookup internal_ranges.csv | table dest_ip]) AND All_Traffic.dest_port=445
by _time All_Traffic.src_ip span=5m
| `drop_dm_object_name(All_Traffic)`
| where unique_dest_ips>=50
| search NOT [ | inputlookup scanners.csv | table ip | rename ip as src_ip]
| search NOT src_ip = "x.x.x.x"
| head 51
You may want to walk back the SPL and see on which line results are getting dropped off.
Is it the initial tstats callout? Just by looking at it the where clause in the tstats looks a bit strange, but hard to say without seeing what the contents of the internal_ranges.csv lookup are.
Does a query like this pull back any results?
| tstats summariesonly=true allow_old_summaries=true
values(All_Traffic.dest_ip) as dest_ip,
dc(All_Traffic.dest_ip) as unique_dest_ips,
values(All_Traffic.dest_port) as dest_port,
values(All_Traffic.action) as action,
values(sourcetype) as sourcetype
from datamodel=Network_Traffic.All_Traffic
where All_Traffic.src_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND All_Traffic.dest_port=445
by _time All_Traffic.src_ip span=5m
| rename
All_Traffic.* as *
Just switched up the tstats where filter a bit to src_ip is internal IP and dest_ip is external_ip which I think is what you described in the original post.
thank you. It worked.
You may want to walk back the SPL and see on which line results are getting dropped off.
Is it the initial tstats callout? Just by looking at it the where clause in the tstats looks a bit strange, but hard to say without seeing what the contents of the internal_ranges.csv lookup are.
Does a query like this pull back any results?
| tstats summariesonly=true allow_old_summaries=true
values(All_Traffic.dest_ip) as dest_ip,
dc(All_Traffic.dest_ip) as unique_dest_ips,
values(All_Traffic.dest_port) as dest_port,
values(All_Traffic.action) as action,
values(sourcetype) as sourcetype
from datamodel=Network_Traffic.All_Traffic
where All_Traffic.src_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND All_Traffic.dest_port=445
by _time All_Traffic.src_ip span=5m
| rename
All_Traffic.* as *
Just switched up the tstats where filter a bit to src_ip is internal IP and dest_ip is external_ip which I think is what you described in the original post.