Hello,
I have an issue with the packetbeat rare dns question ml job, which generates quite a bit of anomalies due to the fact that our hosts are frequently contacting *.avqs.mcafee.com
url's, which have a random part. For example:
8m6-0.13-0.800.17d4.25eb.27e3.0.0.166z6e233qvcvbebe5f2wi76.avqs.mcafee.com
These anomalies are picked up by SIEM and as a SIEM ML Detection has nu way to filter stuff:
I will need to tune or filter the ml job itself.
The query used in the ml job is:
{"bool":{"filter":[{"term":{"event.dataset":"dns"}},{"term":{"agent.type":"packetbeat"}}],"must_not":[{"bool":{"filter":{"term":{"dns.question.type":"PTR"}}}}]}}
So I'd like to discuss what would the best long term and flexible solution, so I can exclude certain domains when needed, without having to rebuild the ml job.
Some possible solutions:
- I could filter out
*.avqs.mcafee.com
indns.question.name
in the ml datafeed query - Even better (so I don't have to use expensive leading wildcard query) I could filter out
mcafee.com
indns.question.registered_domain
But both above options would require me to stop the datafeed, job and then update the datafeed query, which is not really user-friendly.
Ideally I'd love to use a whitelist filter list like this:
But dns.question.registered_domain
is not an option to scope. Feedback to enable me to dynamically filter on dns.question.registered_domain
is welcome.
Or is my only option to update the datafeed query in the ml job?
Grtz
Willem