Kaspersky Threat Intelligence Portal and DNIF Use Cases

Information about Kaspersky Threat Intelligence Portal and DNIF Use Cases

Published on January 15, 2019

Author: DNIFHQ

Source: slideshare.net

Content

1. � Copyright 2018 NETMONASTERY Inc Kaspersky Threat Intelligence Portal and DNIF Use-Cases 1 NETMONASTERY Inc.

2. � Copyright 2018 NETMONASTERY Inc 1. The first use case is one in which we run a lookup through Kaspersky based on the log information gathered by DNIF. We will be specifically looking at a scenario where Kaspersky lookup returns a safe IP report and DNIF appending that information to a list of whitelisted IPs. 2. The second use case is similar to the first but in this scenario we will explain how you could raise a module/ticket and send an alert email to all concerned personnel when Kaspersky Lookup returns a Malicious IP report Using Kaspersky with DNIF to Whitelist Safe IPs and Detect and Respond to Malicious IPs

3. � Copyright 2018 NETMONASTERY Inc 3 Use case 1 Detecting New Safe IPs and having them whitelisted

4. � Copyright 2018 NETMONASTERY Inc _fetch * from event where $LogName=APACHE2 AND $Duration=1h AND $LogType=WEBSERVER group count_unique $SrcIP, $UserAgent, $SrcCN limit 100 >>_checkif lookup safe_ips join $SrcIP = $SrcIP str_compare $SrcIP eq $SrcIP exclude >>_lookup kaspersky get_ip_report $SrcIP >>_checkif str_compare $KLZone eq 'Green' include >>_store in_disk safe_ips stack_append DNIF Query

5. � Copyright 2018 NETMONASTERY Inc

6. � Copyright 2018 NETMONASTERY Inc

7. � Copyright 2018 NETMONASTERY Inc

8. � Copyright 2018 NETMONASTERY Inc

9. � Copyright 2018 NETMONASTERY Inc

10. � Copyright 2018 NETMONASTERY Inc 10 Use case 2 Detecting Malicious IP and taking responsive measures

11. � Copyright 2018 NETMONASTERY Inc _fetch * from event where $LogName=APACHE2 AND $Duration=1h AND $LogType=WEBSERVER group count_unique $SrcIP, $UserAgent, $SrcCN limit 100 >>_checkif lookup safe_ips join $SrcIP = $SrcIP str_compare $SrcIP eq $SrcIP exclude >>_lookup kaspersky get_ip_report $SrcIP >>_checkif str_compare $KLZone eq 'Red' include >>_raise module apache_webserver_base malicious_ip_detected $SrcIP 3 12h >>_trigger template_group apache_webserver_base malicious_ip_detected_temp notify_group groupname DNIF Query

12. � Copyright 2018 NETMONASTERY Inc

13. � Copyright 2018 NETMONASTERY Inc

14. � Copyright 2018 NETMONASTERY Inc

15. � Copyright 2018 NETMONASTERY Inc

16. � Copyright 2018 NETMONASTERY Inc

17. � Copyright 2018 NETMONASTERY Inc

18. � Copyright 2018 NETMONASTERY Inc Thank You 18

Related presentations


Other presentations created by DNIFHQ

Container Security Essentials
21. 08. 2019
0 views

Container Security Essentials