Use Case: Upload to rare external IP

alerting

(Daniel) #1

Hi there,

I was trying to setup a use case regarding uploading data of a specific size to a rare external IP. Right now my company has not yet implemented machine learning, so we cannot use the "rare" function yet. I was wondering if there is a way we can create a use case to detect uploading data to an IP that has not been observed in the last x amount of days.

I was thinking the steps would be something like:

Create a search that displays all external IP's being accessed in the last x amount of days and also list how much data is being uploaded. Then compare the IP being accessed to upload data against the list of IP's that have been observed, if the IP does not match, alert us stating the Source/Dest IP, hostname, user etc.

Is this possible to accomplish without applying the machine learning? I think the hardest part so far has been trying to list external IP's and exclude all the internal/external business IP's....

Any assistance would be greatly appreciated!


Injecting malicious IP list to compare against active connections and alert if found - Use case