/
monitor_web_traffic_for_brand_abuse.yml
41 lines (41 loc) · 1.32 KB
/
monitor_web_traffic_for_brand_abuse.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Monitor Web Traffic For Brand Abuse
id: 134da869-e264-4a8f-8d7e-fcd0ec88f301
version: 1
date: '2017-09-23'
author: David Dorsey, Splunk
status: experimental
type: TTP
description: This search looks for Web requests to faux domains similar to the one
that you want to have monitored for abuse.
data_source: []
search: '| tstats `security_content_summariesonly` values(Web.url) as urls min(_time)
as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`'
how_to_implement: You need to ingest data from your web traffic. This can be accomplished
by indexing data from a web proxy, or using a network traffic analysis tool, such
as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain
Names", which creates the permutations of the domain that will be checked for.
known_false_positives: None at this time
references: []
tags:
analytic_story:
- Brand Monitoring
asset_type: Endpoint
confidence: 50
impact: 50
message: tbd
observable:
- name: src
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Web.url
- Web.src
risk_score: 25
security_domain: network