Event Explorer Lab: Advanced Tables and Watchlists
Use Case: The ability to include Watchlists in Charts or Tables is a powerful tool. Embedding
Watchlists enables analysts to update the contents of Charts and Tables without editing the View
Properties. This is especially useful when working with Advanced Charts and Tables.
Function: in_watchlist(field, ‘watchlist name’)
EXAMPLE
where [not] in_watchlist(address1, ‘Problem IPs’)
EXPLANATION
WHERE the IP address in the table column address1 is [not] in the “Problem IPs” Watchlist.
Exercise: This exercise will introduce you to the “in_watchlist” function.
1. Select one of your event traces Event Trace (or create a new one), go to Trace Views and add an Advanced Table
If creating a new Event Trace for this exercise, try creating a trace that is specific to the DeviceType you will be looking at in the Trace View
2. Name the new table “[DeviceType] [EventCategoryName] Address Pairs - Top 25”
The DeviceType and EventCategory are your choice. For this exercise, we will be using Tipping Point as the device type and Attacks as the EventCategoryName, but substitute whatever makes sense in your environment.
3. Add the following SQL into the editor:
select top 25
details2 as “Signature”,
address1 as “Source Address”,
address2 as “Destination Address”,
count(*) as “Frequency”
from Stream
where devicetype in (‘tippingpoint’)
and eventcategoryname like ‘Attacks%’
group by details2,
address1,
address2
order by count(*) desc
4. Click OK to close the SQL editor.
5. Click Finish and start the Trace.
The newly created Advanced Table will display the top Source/Destination Address Pairs by Signature along with the frequency.
Now you will create a Watchlist to use in filtering the Source Addresses.
6. Click Tools > Watchlist Manager
7. Click the New Watchlist button to open the New Watchlist Details window. (Your entries for IP addresses will vary.)
- Name: Problem IPs
- Description: List of Problem IP Addresses
- Entry 1: 66.30.194.215
- Entry 2: 224.245.254.245
8. Click OK to accept the new entries.
9. Click OK to close the Watchlist Manager.
Now that the Watchlist is created, you will modify the Advanced Table to use the Watchlist.
10. Right-Click the Advanced Table and select Properties.
11. Update the SQL Query to match the following:
select top 25
details2 as "Signature",
address1 as "SourceAddress",
address2 as "DestinationAddress",
count(*) as "Frequency"
from Stream
where devicetype in ('tippingpoint')
and eventcategoryname like 'Attacks%'
and in_watchlist(address1, 'Problem IPs') -- This is the new line.
group by details2,
address1,
address2
order by count(*) desc
Note how the Advanced Table has been updated to only include Source Addresses in the “Problem IPs” watchlist.
12. Now Right-Click the Advanced Table and select Properties.
13. Finally, update the SQL Query so the in_watchlist function is preceded by: “not”
where devicetype in ('tippingpoint')
and eventcategoryname like 'Attacks%'
and not in_watchlist(address1, 'Problem IPs')
-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
RSAENVISION - Event Explorer Lab: Advanced Tables and Watchlists
Reviewed by BlackHat
on
10:42 AM
Rating:
No comments:
Post a Comment