Suspicious Connects

daortizh edited this page Nov 28, 2016 · 6 revisions

Purpose and Audience

This section contains a walk-through of the Suspicious Connects Web Page. The intended audience is Security Analysts responsible for reviewing the results for potential threats.

Access the analyst view for Suspicious Connects http://“server-ip":8889/files/ui/flow/suspicious.html Select the date that you want to review (defaults to current date). Your view should look similar to the one below:

Suspicious Connects Web Page contains 4 frames with different functions and information:

  • Suspicious
  • Network View
  • Notebook
  • Details

The Suspicious frame

Located in the top left corner of the Suspicious Connects Web Page, this frame presents the Top 250 Suspicious Connections in a table format based on Machine Learning (ML) output. These are the columns depicted in this table:

  • Rank - ML output rank
  • Time - Time received field for Netflow record
  • Source IP - Netflow Record Source IP Address
  • Destination IP - Netflow Record Destination IP Address
  • Source Port - Netflow Record TCP/UDP Source Port Number
  • Destination Port - Netflow Record TCP/UDP Destination Port Number
  • Protocol - Text format for Protocol contained within Netflow Record (Ex. TCP/UDP)
  • Input Packets - Reported Input Packets for the Netflow Record
  • Input Bytes - Reported Input Bytes for the Netflow Record

Additional functionality in Suspicious frame

  1. By selecting a specific row within the Suspicious frame, the connection in the Network View will be highlighted

  1. In addition, by performing this row selection the Details Frame presents all the Netflow records in between Source & Destination IP Addresses that happened in the same minute as the Suspicious Record selected

  1. Next to a Source/Destination IP Addresses, a shield icon might be present. This icon denotes any reputation services value context added as part of the Operational Analytics component. By rolling over you can see the IP Address Reputation result

  1. An additional icon next to the IP addresses within the Suspicious frame is the globe icon. This icon denotes Geo-localization information context added as part of the Operational Analytics component. By rolling over you can see the additional information

The Network View frame

Located at the top right corner of the Suspicious Connects Web Page. It is a graphical representation of the Suspicious records relationships. If context has been added, Internal IP Addresses will be presented as diamonds and External IP Addresses as circles.

Additional functionality in Network View frame

  1. As soon as you move your mouse over a node, a dialog shows IP address information of that particular node

  1. A primary mouse click over one of the nodes will bring a chord diagram into the Details frame. The chord diagram is a graphical representation of the connections between the selected node and other nodes within Suspicious Connects records, providing number of Bytes From & To. You can move your mouse over an IP to get additional information. In addition, drag the chord graph to change its orientation.

  1. A secondary mouse click uses the node information in order to apply an IP filter to the Suspicious Web Page.

The Notebook frame

This frame contains an initialized Jupyter Notebook. The main function is to allow the Analyst to score IP Addresses and Ports with different values. In order to assign a risk to a specific connection, select it using a combination of all the combo boxes, select the correct risk rating (1=High risk, 2 = Medium/Potential risk, 3 = Low/Accepted risk) and click Score button. Selecting a value from each list will narrow down the coincidences, therefore if the analyst wishes to score all connections with one same relevant attribute (i.e. src port 80), then select only the combo boxes that are relevant and leave the rest at the first row at the top.

The Score button

When the Analyst clicks on the Score button, the action will find all coincidences exactly matching the selected values and update their score to the rating selected in the radio button list.

The Save button

Analysts must use Save button in order to store the scored connections. After you click it, the rest of the frames in the page will be refreshed and the connections that you already scored will disappear on the suspicious connects page, including from the lists in the notebook. This will also reorder the flow_scores.csv file to move all scored connections to the end of the file and sort the rest by severity value. A shell script will be executed to copy the file with the scored connections to the ML Node and specific path. The following values will be obtained from the .conf file:

  • LPATH
  • MLNODE
  • LUSER

For this process to work correctly, it's important to create an ssh key to enable secure communication between nodes, in this case, the ML node and the node where the UI runs. To learn more on how to create and copy the ssh key, please refer to the "Configure User Accounts" section.

The Quick IP Scoring box

This box allows the Analyst to enter an IP Address and scored using the "Score" and "Save" buttons using the same process depicted above

Suspicious Connects Web Page Input files

flow_scores.csv  
flow_scores_bu.csv
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.