Proxy Threat Investigation

elopezsa edited this page Sep 21, 2016 · 1 revision

Purpose and Audience

This section contains a walk-through of the Threat Investigation analyst view. The intended audience is Security Analysts responsible for reviewing the results for potential threats. The Threat Investigation notebook provides a way to perform a more detailed analysis of the connections previously scored as high risk.
Users will select a day to investigate, starting at the Suspicious Connects section to later get to the detailed analysis performed with a Threat Investigation Jupyter notebook.

###Walk-through Access the analyst view for Proxy Suspicious Connects. Select the date that you want to review. Your view should now look like this:

The analyst must previously score the suspicious connections before moving into Threat Investigation View, please refer to Proxy Suspicious Connects Analyst View walk-through.

Select Proxy > Threat Investigation from Open Network Insight Menu.

Threat Investigation Web Page will be opened, loading the embedded Jupyter notebook. A list with all Proxy Records scored as High risk will be presented

####Expanded Search Select any value from the list and press the "Search" button. The system will execute a query to the proxy table, looking into the raw data initially collected to find additional activity for the selected Proxy Record. Results will be extracted and displayed in a table. If an expanded search was previously executed on this Proxy Record, the system will extract the results from the preexisting file to reduce the execution time by avoiding another query to the table. Query execution time is long and will vary depending on whether Hive or Impala is being used, so please monitor the notebooks status icon for completion. The quantity of results displayed on screen can be set by modifying the top_results variable, additional information on how to modify this variable can be found here

####Save comments.
In addition, a web form is displayed under the title of 'Threat summary', where the analyst can enter a Title & Description on the kind of attack/behavior described by the particular Proxy Record that is under investigation.

Clicking the "Save" button, will create/update the threats.csv file, adding a new line with the contents of the form. This file is used at the Storyboard section to display all the comments entered by the user, as well it will serve as an index of the threats analyzed.

####Continue to the Storyboard.
Once you have saved comments on any suspicious IP or domain, you can continue to the Storyboard to check the results.

Input files

proxy_scores.tsv

Output files

threats.csv
es-{id}.csv
incident-progression-{id}.json
timeline-{id}.tsv

HDFS tables consumed

proxy
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.