/
zscaler_cryptominer_downloaded_threat_blocked.yml
62 lines (62 loc) · 2.63 KB
/
zscaler_cryptominer_downloaded_threat_blocked.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Zscaler CryptoMiner Downloaded Threat Blocked
id: ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365
version: 1
date: '2023-10-30'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
data_source: []
description: The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability.
search: '`zscaler_proxy` action=blocked threatname=*miner*
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `zscaler_cryptominer_downloaded_threat_blocked_filter`'
how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.
known_false_positives: False positives are limited to Zscaler configuration.
references:
- https://help.zscaler.com/zia/nss-feed-output-format-web-logs
tags:
analytic_story:
- Zscaler Browser Proxy Threats
asset_type: Web Server
confidence: 80
impact: 40
message: Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$].
mitre_attack_id:
- T1566
observable:
- name: src
type: IP Address
role:
- Victim
- name: user
type: User
role:
- Victim
- name: url
type: URL String
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 32
required_fields:
- action
- threatname
- deviceowner
- user
- urlcategory
- url
- dest
- dest_ip
- action
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json
source: zscaler
sourcetype: zscalernss-web