PREVIOUS
Customized alert reports
NEXT
Automate continuous firewall traffic monitoring to detect threats faster

Flow / Flow use cases / Limit intruder dwell time with rapid context gathering

Download as PDF

Limit intruder dwell time with rapid context gathering

Description

In this use case, a hypothetical attacker used an exploit against our machine in the local network, which triggered an alert from an external security service. The attacker takes control over the machine in the local network and leaks information out.

Our external service does not provide additional details about the threat. We will use this Flow to combine the external service data and the data extracted by Devo (interactions between attacker and victim) to check if there's any data flow from the victim to the attacker. If Flow observes an interaction, it will send an email to notify you of the intrusion, and it will provide you with the query to rapidly investigate and mitigate the threat.

In this example, we are mixing alert data from an external IDS service injected into Devo with firewall data. The IDS alerts include data related to intrusions to our machine. They include the attacker source IPs and the victim destination IPs. We will compare this data with the information retrieved by our firewall to check if the victim machine is sending data to the attacker's IP address in order to check if there's data leaking. 

Flow configuration

The configuration of this use case is divided into 3 different parts:

Upload the sample data

Before defining the units of this Flow, we need to prepare the sample data we will use to simulate the external tool service. To do it, we have defined a CSV file that contains some sample events simulating logs related to potential attacks.

  1. Click here to download the CSV file that contains the sample events.
  2. Now, access your Devo domain and go to Data upload. Choose Local files, drag the CSV file into the screen that appears, and click Upload file
  3. Give a tag name to the new data table (in this example, we're calling it my.upload.suricata.data) and select Current date in the Date parsing type field. Click Confirm settings when you're done.
  4. Finally, click Confirm and send in the summary screen. Wait some minutes and the new table will be accessible from the Data search area. Learn more about uploading logs to Devo in Uploading log files.

Parse the sample data

  1. Go to Data Search and access the my.upload.suricata.data table. Remember that it may take some minutes before you can access it.

  2. Now, click the gear icon on the toolbar and select Source table → Autoparse.

  3. Now you must set the delimiters used to parse de data and set the name and content of the columns. We will choose the comma "," as our delimiter. The following capture shows the columns that we need to define and the names you should give them. 

    Make sure to select the type String for the fields src_ip and dest_ip. You can leave all the data types as default.

  4. Click Confirm when you're done and access the table after some minutes. This is how the table should look after the parsing:

Once the data table is created and properly parsed, we can start defining the units that will make up our Flow. If you want to learn more about the Autoparse tool in Devo, read this article.

Upload the sample data

Now we need to prepare the sample data we will use to simulate firewall logs in Devo. To do it, we have defined a CSV file that contains some sample events simulating logs generated by our firewall and sent to Devo.

  1. Click here to download the CSV file that contains the sample events.
  2. Now, access your Devo domain and go to Data upload. Choose Local files, drag the CSV file into the screen that appears, and click Upload file
  3. Give a tag name to the new data table (in this example, we're calling it my.upload.firewall.data) and select Current date in the Date parsing type field. Click Confirm settings when you're done.
  4. Finally, click Confirm and send in the summary screen. Wait some minutes and the new table will be accessible from the Data search area. Learn more about uploading logs to Devo in Uploading log files.

Parse the sample data

In this case, we will manually parse the necessary fields for this example:

  1. Go to Data Search and access the my.upload.firewall.data table. Remember that it may take some minutes before you can access it.

  2. Now, open the Query code editor located at the top of the window and paste the following query:

    from my.upload.firewall.data
select split(message, ",", 5) as srcIp
select split(message, ",", 6) as dstIp

    Now that the fields needed for the use case are defined, you can start defining your Flow.

The following table describes the units needed to create this Flow, as well as how to configure and link them.

Unit typeDescriptionConfiguration

Devo Source

This unit defines the Devo query that stores the events of the sample table we defined (my.upload.suricata.data), which contains sample events from a hypothetical external security service.

  1. Drag a Devo Source unit to the canvas and open its configuration options by double-clicking it.

  2. Add a Name to the unit (in this example, we called it DevoSource), and specify the Query that receives the events of the required data source. In this example, we're using the following query:

    from my.upload.suricata.data
  select eventdate, src_ip, dest_ip, sid
  where isnotnull(src_ip),
    isnotnull(dest_ip)

  3. Choose eventdate in the Time column field.

  4. In the Start time field, make sure to indicate the time when the sample events in the my.upload.suricata.data table were uploaded to your domain. You can check this by going to Data Search and accessing the query. You can easily check the starting point of the data by narrowing the upload time frame in the calendar and checking the graph at the top of the window.

  5. Leave the rest of the settings as default and click Apply to save the configuration.

Map

We will use this unit to add some additional fields to our sample data in order to enrich the sample events generated by the external service.

  1. Drag a Map unit to the canvas and link the out port of the Devo Source unit to the in port of this unit, as follows:

  2. Then, open the configuration options of the unit by double-clicking it. In the General tab, add a Name to the unit (in this example, we called it Map), and leave the Language as default (Groovy).

  3. In the Fields to add tab, you must add 4 different fields by clicking the + button:

    This field will contain the current time.

    • Field name - now
    • Type - java.util.Date
    • Expression - new Date()

    This field will contain the IP address of the attackers.

    • Field name - attackerIp
    • Type - String
    • Expression - src_ip

    This field will contain the IP address of the victims.

    • Field name - possibleLeaker
    • Type - String
    • Expression - dest_ip

    This field will contain the date of the attack.

    • Field name - alertDate
    • Type - String
    • Expression - eventdate.toString()

  4. Click Apply to save the configuration.

Devo Full Query

We will use this unit to compare our external service data to the firewall data registered in the firewall.all.traffic of our Devo domain.

  1. Drag a Devo Full Query unit to the canvas and link the out port of the Map unit to the in port of this unit, as follows:

  2. Then, open the configuration options of the unit by double-clicking it. Add a Name to the unit (in this example, we called it FullQuery), and specify the Query that receives the events of the required data source. In this example, we're using the following query:

    from my.upload.firewall.data
select split(message, ",", 5) as srcIp
select split(message, ",", 6) as dstIp
  where isnotnull(srcIp),
    isnotnull(dstIp),
    srcIp = ?,
    dstIp = ?
    group every - select count() as count
    where count > 0
  3. In the Parameters field, add possibleLeaker and attackerIp (in that order). These values will replace the ? characters in the query above:

    It is important that you add the parameters in the order that we specify, as they will be used to fill the variable fields (srcIp = ?, dstIp = ?) in the query above in that specific order.

    What we're doing here is checking if the source IP addresses detected by our external IDS (field renamed as attackerIp) are later registered as destination IP addresses in the firewall table. This would mean that these addresses are now data leakers and are receiving data from the victim's IP address, which is now the source IP address.

  4. In the From event tab, choose the eventdate column as Start time and the now column as End time.
  5. Click Apply to save the configuration.

Email Sink

We will use this unit to send a customized message to the required users and warn them about users' inactivity.

  1. Drag an Email Sink unit to the canvas and link the data port of the Devo Full Query unit to the in port of this unit, as follows:

  2. Then, open the configuration options of the unit by double-clicking it. In the General tab, add a Name to the unit (in this example, we called it Mail), add a Subject for the emails to be sent (in this example, IDS alert followed by network activity towards the attack source).

  3. In the Message field, you must enter the text to be sent in the mails. For this example, we added the following (where sid, possibleLeaker, attackerIp and alertDate are variable fields that will be automatically replaced by the corresponding values):

    Suricata Alert id: %%{sid}

    Data activity:

    from firewall.all.traffic
      where
        srcIp = %%{possibleLeaker},
        dstIp = %%{attackerIp},
        timestamp("%%{alertDate}") <= eventdate

  4. Then, click the To recipients tab and add as many email addresses as required by clicking the + icon.

  5. Click Apply to save the configuration.

Once you're done, remember to save your Flow so you can start running it. To do it, click the Save button on the Flow toolbar.

Result

Once you have defined the whole Flow and saved it, click the Start button to activate it. If everything is correctly configured, the Flow will send an email to the given addresses every time the Flow registers 1 or more interactions between the attacker and the victim. Users will get the query in their mails with the corresponding date in order to check additional details.

Import this Flow

Download this Flow in JSON format by clicking here and import it to your domain clicking the Import option at the top of the Flow canvas. If the JSON object opens on a new browser window automatically, copy all the content, paste it into your notepad and save it in .txt or .json format. 

Remember to add the required target email addresses as explained above before running the Flow.

See the following video to start learning about how to use Flow to limit intruder dwell time:

Download as PDF

PREVIOUS
Customized alert reports
NEXT
Automate continuous firewall traffic monitoring to detect threats faster