When it comes to Elastic Stack is has great functionalities for specific detection trigerred by well tuned rules but security analysts struggle when it comes to generic checks like if I have a phishing related public IP that hosts a malware and i wanna see the list of source.ip and user.name that started a communication towards this IP, neither in the timeline or discovery panel I can see unique number of source.ip since i should scroll down pages and i might miss something. Even the unique values at the left panel in the Discovery page won't be enough.
My question is, is there a way to do this apart from creating aggregation (more queries and time consuming). Would it be such a feature in future releases ? why isn't up till now present in the SIEM APP ?
Hi @hilo21, thanks for your post and for your interest in the SIEM app!
We've actually got a whole slew of threat hunting enhancements) arriving in 7.8, and one in particular should address your use case: Show top fields.
The author does a great job detailing those features in the above link, so I definitely recommend checking that out! However, specific to your example of viewing unique
source.ips communicating with a malware host, within the SIEM app you'll be able to:
- Build a timeline with
source.ip (either in a row renderer or the column header)
- Click "Show top source.ip" from the context menu
Which will then generate a histogram of the top
source.ip values within that timeline, like so:
We hope this feature will help you and others to be even more effective in your threat hunting. Please do keep the feature requests coming, both here and on GitHub!
(Edit: fixed "threat hunting enhancements" link above)
Thanks @RylandHerrick for the great reply!!
Looks like this link isn't working:
Hey @ebeahan , good catch! I've updated my reply with the fix. Thanks!
@RylandHerrick Thank you very much
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.