When it comes to Elastic Stack is has great functionalities for specific detection trigerred by well tuned rules but security analysts struggle when it comes to generic checks like if I have a phishing related public IP that hosts a malware and i wanna see the list of source.ip and user.name that started a communication towards this IP, neither in the timeline or discovery panel I can see unique number of source.ip since i should scroll down pages and i might miss something. Even the unique values at the left panel in the Discovery page won't be enough.
My question is, is there a way to do this apart from creating aggregation (more queries and time consuming). Would it be such a feature in future releases ? why isn't up till now present in the SIEM APP ?
Hi @hilo21, thanks for your post and for your interest in the SIEM app!
We've actually got a whole slew of threat hunting enhancements) arriving in 7.8, and one in particular should address your use case: Show top fields.
The author does a great job detailing those features in the above link, so I definitely recommend checking that out! However, specific to your example of viewing unique source.ips communicating with a malware host, within the SIEM app you'll be able to:
Build a timeline with destination.ip: <malware_host>
Hover source.ip (either in a row renderer or the column header)
Click "Show top source.ip" from the context menu
Which will then generate a histogram of the top source.ip values within that timeline, like so:
We hope this feature will help you and others to be even more effective in your threat hunting. Please do keep the feature requests coming, both here and on GitHub!
(Edit: fixed "threat hunting enhancements" link above)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
