security-content/detections/brand_abuse_web.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
asset_type: Endpoint
baselines:
  - id: 19f7d2ec-6028-4d01-bcdb-bda9a034c17f
    name: DNSTwist Domain Names
    type: splunk
confidence: high
creation_date: '2017-06-01'
data_metadata:
  data_models:
    - Web
  data_source:
    - Web Traffic
  providing_technologies:
    - Splunk Stream
    - Bro
    - Bluecoat
    - Palo Alto Firewall
description: This search looks for Web requests to faux domains similar to the one
  that you want to have monitored for abuse.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: src, url
        rule_description: The host $src$ connected to a web site with a domain similar
          to that which you are monitoring for brand abuse.
        rule_title: Web URL Brand Abuse from $src$
      risk:
        risk_object: src
        risk_object_type:
          - system
        risk_score: 80
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime
        from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
        | `brand_abuse_web`'
      suppress:
        suppress_fields: src
        suppress_period: 86400s
eli5: This search looks at all the URLs an endpoint is connecting to and then checks
  the URL against a list of faux domains that could be indicative of brand abuse.
entities:
  - src
how_to_implement: You need to ingest data from your web traffic. This can be accomplished
  by indexing data from a web proxy, or using a network traffic analysis tool, such
  as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain
  Names", which creates the permutations of the domain that will be checked for.
id: 134da869-e264-4a8f-8d7e-fcd0ec88f301
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: None at this time
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 7
  kill_chain_phases:
    - Delivery
  mitre_attack: []
  nist:
    - PR.IP
modification_date: '2017-09-23'
name: Monitor Web Traffic For Brand Abuse
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: network
spec_version: 2
type: splunk
version: '1.0'