forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
baseline_of_smb_traffic___mltk.yml
57 lines (57 loc) · 2.63 KB
/
baseline_of_smb_traffic___mltk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Baseline of SMB Traffic - MLTK
id: df98763b-0b08-4281-8ef9-08db7ac572a9
version: 1
date: '2019-05-08'
author: Rico Valdez, Splunk
type: Baseline
datamodel:
- Network_Traffic
description: This search is used to build a Machine Learning Toolkit (MLTK) model
to characterize the number of SMB connections observed each hour for every day of
week. By default, the search uses the last 30 days of data to build the model. The
model created by this search is then used in the corresponding detection search
to identify outliers in the number of SMB connections for that hour and day of the
week.
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic
where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb
by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction
count by "HourOfDay,DayOfWeek" into smb_pdfmodel'
how_to_implement: You must be ingesting network traffic and populating the Network_Traffic
data model. In addition, you must have the Machine Learning Toolkit (MLTK) version
>= 4.2 installed, along with any required dependencies. To improve your results,
you may consider adding "src" to the by clause, which will build the model for each
unique source in your enviornment. However, if you have a large number of hosts
in your environment, this search may be very resource intensive. In this case, you
may need to raise the value of max_inputs and/or max_groups in the MLTK settings
for the DensityFunction algorithm, then ensure that the search completes in a reasonable
timeframe. By default, the search builds the model using the past 30 days of data.
You can modify the search window to build the model over a longer period of time,
which may give you better results. You may also want to periodically re-run this
search to rebuild the model with the latest data. More information on the algorithm
used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.
known_false_positives: none
references: []
tags:
analytic_story:
- DHS Report TA18-074A
- Disabling Security Tools
- 'Emotet Malware DHS Report TA18-201A '
- Hidden Cobra Malware
- Netsh Abuse
- Ransomware
deployments:
- Daily Cache Updates
detections:
- Processes launching netsh
- SMB Traffic Spike - MLTK
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Traffic.dest_port
- All_Traffic.app
- All_Traffic.src
security_domain: network