How to combine alerts in one?

For example, i have infected PC in my network, and it sends many requests to C2 malware domain. So, i setup detection rule for this C2C domain and now i have got 100500 alerts from only 1 IP of infected PC. How to combine all this alerts to one (by client IP address)?

Is this something addressing your questions shorturl.at/tySTZ
Not an out of box solution though.
It is consolidating alerts, discovering patterns and grouping related alerts to cases.
For your question: it extracts ip and groups 100500 alerts to one case and write to ELK case page.

Check your link, its broken.

here it is Demo Video - AI-Based Analysis and Response

I'm looking for built-in functionality of ELK Stack.

What version are you on?

7.11.0

Hey @VellayLoket ,

Unfortunately we don't support grouping at the moment within the detections table.

Are you able to share your detection rule? We might be able to help streamline it, or perhaps provide a better strategy based on functionality that exists today.

The detection rule is simple:
eventlog.category.keyword : "AM TROJAN Trojan.Johnnie.D17E73 login attempt via json-file"
Rule type - Custom query.

Thanks - would detecting when a threshold (say, more than 10 times) is met for this be a better/cleaner way then for every single instance? Would it serve your use case?

It depends on walware type.
If malware ask his C2 one time a day - it would be better to use Custom Query to alert every queries.
If malware ask his C2 every 5 times - it would be beter to use your variant (more than 10 times), but anyway we gonna get many alerts even if we gonna use threshold variant (nto 100500 alert but 500 alerts with the same IP address)

Yeah, I agree.

What frequency does the rule run at? How long did it take to get to 100500 alerts?

It makes sense to me that you'd want to reduce the number of alerts, but thresholding is often either too quiet or too noisy. I think the only way to solve this is with another layer of logic. What I've found, working at Microsoft SOC and with a number of others, is that we can lookback to reduce/group alerts and also correlate them to other events that indicate other activities that provide more context to the C2. For instance, we've been able to correlate C2 events to malware detection events (and sometimes even abnormal login events before those). We've also seen these events correlate to other beaconing events and data exfiltration. Based on this, we've been able to mitigate earlier in the attack chain.

Right now the rule create alert on every malware request, we have several PCs with this indicator so we got 2-3 alerts every minute. But, as i said before if we use correlation with threshold ( >100 event or > 1000) than we gonna be blind to malware wich send requests 1 a day. It will be very usefull if ELK can combine event with client.ip address and with the same event categories.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.