1.Possible port scanning

Usecase

Sending notifications when there is too many SYN connections per minute(which may be a sign of port scanning), which is identified a by a field "curState". 

The desktop computers are identified by the keyword “DESKTOP” contained in the computer name provided by DNS lookup, which will be in a field called "srcHostame"

    

    Need to notify the user

           1) If there is a SYN connections more than 50 in 15 minutes

           2) notify users with the list of hosts /source IPs  and the no of request they sent in 15 minutes (for eg here source hostname is identified by the field "srcHostname"

           3) send the selected payload event fields as parameter


Notification Types:  Webhook

    

User Inputs

You can setup the alerts in Skedler-Alert as given below,

   

You will receive an alert in web-hook as shown below,

    


Notification received via Web-hook

Explanation on Parameters:

1. message:

 "message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 IST - Thu Aug 03 2017 11:01:05 IST \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   Possible port scanning
  2. ${TimeStamp}      -  27-03-2017 10:38:15
  3. ${TimeWindow}    -  Mon Mar 27 2017 10:37:15 IST - Mon Mar 27 2017 10:38:15 IST
  4. ${Result}   - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]

2. data: [ ]


3. payload: 

[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]


Note - For additional parameters, refer How to setup merge parameters for alert action?


Explanation on Parameters:

1. message :

 "message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 GMT+0530 (IST) - Thu Aug 03 2017 11:01:05 GMT+0530 (IST) \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   Possible port scanning
  2. ${TimeStamp}      -  27-03-2017 10:38:15
  3. ${TimeWindow}    -  Mon Mar 27 2017 10:37:15 GMT+0530 (IST) - Mon Mar 27 2017 10:38:15 GMT+0530
  4. ${Result}   - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]

2. data: [ ]


3. payload: 

       


[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]


Conclusion

Table below shows the list of SYN connection more than 50

srcHostname
Count
DESKTOP - nigel
63
DESKTOP - adrien
82
DESKTOP - allene
55



2. Unauthorized access attempt to a secure server

Sending notifications when there is any unauthorized access attempt to access a restricted application on a server, which is identified a by a field "AuthorizationStatus" with keyword "NotAuthorized". Restricted Application name will be identified by the field "app".

Need to notify the user with number of unauthorized users count in 15 minutes


Notification Types: Email


User Inputs

You can setup the alerts in Skedler-Alert as given below, 



Notification received via Email

Hi,

Alert has been triggered for alert Unauthorized access attempt on 27-03-2017 11:11:00 IST


Time Window -   Mon Mar 27 2017 10:51:45 IST - Mon Mar 27 2017 11:11:00 IST  


Number of Unauthorized users count -

 

app
count
Skedler-Reports
10
Microstrategy
8
Power BI
9
BI Connector
6
Skedler-Alerts
12


Thanks    


Notification received via email attachment

Selected fields app, AuthorizationStatus  will be send in the attachment

[{
    "payload_result1": {
      "total": 4917,
      "max_score": null,
      "hits": [
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hv",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524102729
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mo",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524080521
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_0",
          "_type": "connection",
          "_id": "AV2ZzvbanjJK2YYnw8sH",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524078548
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hu",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524040716
          ]
        },
        {
          "_index": ".data_2017_7_31_23_30_30",
          "_type": "connection",
          "_id": "AV2ZzZTUnjJK2YYnw77F",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524020598
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83D",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523996465
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83F",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523994484
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_30",
          "_type": "connection",
          "_id": "AV2Zz2znnjJK2YYnw88y",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523950014
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_0",
          "_type": "connection",
          "_id": "AV2ZzgucnjJK2YYnw8LS",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523926079
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mn",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523917765
          ]
        }
      ]
    },
    "aggregations_result1": {
      "app": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "BI Connector",
            "doc_count": 1025
          },
          {
            "key": "Power BI",
            "doc_count": 1010
          },
          {
            "key": "Skedler-Alerts",
            "doc_count": 964
          },
          {
            "key": "Microstrategy",
            "doc_count": 959
          },
          {
            "key": "Skedler-Reports",
            "doc_count": 959
          }
        ]
      }
    }
  }
]


Explanation

Parameters configured will be replaced as follows:

  1. ${AlertName}       -  Unauthorized access attempt
  2. ${TimeStamp}      -  23-01-2017 11:11:00
  3. ${TimeWindow}  - Mon Mar 27 2017 10:51:45 IST - Mon Mar 27 2017 11:11:00 IST

Note - For additional parameters, refer How to setup merge parameters for alert action?

 

Conclusion

Below are the list of applications having “AuthorizationStatus” with custom tagging "NotAuthorized"


app
count

Skedler-Reports
10

Microstrategy
8

Power BI
9

BI Connector
6

Skedler-Alerts
12


3. Too many open connection to application server

Use Case 

Sending notifications when there is too many connections from IP address to an application server which passes threshold value in a given period of time.  IP addresses,application server are identified a by fields "srcIp", "app". For eg: Alert if more than 10 connections from an IP address in 15 minutes       


Notification Types:  Email  & Webhook


User Inputs

You can setup the alerts in Skedler-Alert as given below, 

  


Notification received via Email

Hi,

Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 14:10:45


Time Window - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST


Final Result

srcIp
app
Count
191.199.241.108
BI Connector
21
232.66.107.147
Skedler - Reports
20
47.37.62.5
Skedler-Alerts
14


Thanks

 

Notification received via Web-hook

you will be receiving the alert in web-hook as below 



Explanation on Parameters:

1. message :

 "message": "Hi,\n Alert has been triggered for alert Too many Open Connection on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 IST - Thu Aug 03 2017 11:01:05 IST \n [{\"srcIp\":\"191.199.241.108\",\"app\":\"BI Connector\",\"value\":21},{"\srcIp\":\"232.66.107.147\",\"app\":\"Skedler-Reports\",\"value\":20},{\"srcIp\":\"47.37.62.5\",\"app\":\"Skedler-Alerts\",\"value\":14}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   Too many Open Connection
  2. ${TimeStamp}      -  19-03-2017 14:10:45
  3. ${TimeWindow} - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST
  4. ${Result}   -[{"srcIp":"191.199.241.108","app":"BI Connector","value":21},{"srcIp":"232.66.107.147","app":"Skedler-Reports","value":20},{"srcIp":"47.37.62.5","app":"Skedler-Alerts","value":14}]


2. data: [ ]


Note - For additional parameters, refer How to setup merge parameters for alert action?


Conclusion

 Below table shows the list of ip addresses which passes the threshold value 10

srcIp
app
Count
191.199.241.108
BI Connector
21
232.66.107.147
Skedler - Reports
20
47.37.62.5
Skedler-Alerts
14



4. DDOS attack warning

Usecase

 Alert when total number of connections in any state to a specific network service (as defined by the TCP port “domain”) pass a threshold in a given period of time. domain, service type are identified a by a field "srcdomain" , "serviceType" respectively.         

  Need to notify the user with domain and service type which passes the threshold value 100


Notification Types:  Webhook


User Inputs

You can setup the alerts in Skedler-Alert as given below,


Notification received via Web-hook    

you will be receiving the alert in web-hook as below


Explanation on Parameters:

1. message :

"message": "Hi,\n Alert has been triggered for alert  DDOS attack warning on 03-08-2017 11:22:04 \n Wed Aug 03 2016 11:22:04 IST - Thu Aug 03 2017 11:22:04 IST \n  [{\"srcDomain\":\"aron.name\",\"serviceType\":\"tcp\",\"value\":12},{\"srcDomain\":\"georgiana.net\",\"serviceType\":\"http\",\"value\":312},{\"srcDomain\":\"lou.biz\",\"serviceType\":\"https\",\"value\":111}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   DDOS attack warning
  2. ${TimeStamp}      -  19-03-2017 15:02:30
  3. ${TimeWindow} - Mon Mar 27 2017 14:47:45 IST - Mon Mar 27 2017 15:02:45 IST
  4. ${Result}   - [{"srcDomain":"aron.name","serviceType":"tcp","value":12},{"srcDomain":"georgiana.net","serviceType":"http","value":312},{"srcDomain":"lou.biz","serviceType":"https","value":111}


2. data: [ ] 


Note - For additional parameters, refer How to setup merge parameters for alert action?


Conclusion

 Below table shows the list of domain and service type which passes the threshold value 100

srcDomain
serviceType
count
aron.name
tcp
21
georgiana.net
http
20
lou.biz
https
14


5. Lost/Stolen Device

 When there is any access from lost/stolen device with a Mac address say "35:6e:5e:de:b5:61", which provides the lost/stolen device's country and city location.  Mac address, country, city are identified  by the fields "srcMac", "srcCountry","srcCity" respectively. 

Need to notify the user with country and city of the stolen device location.


Notification Types: Email


User Inputs

You can setup the alerts in Skedler-Alert as given below, 



Notification received via Email

Hi,

Alert has been triggered for alert Lost-stolen Device on 19-03-2017 15:53:50 IST


Time Window - Sun Mar 19 2017 14:53:50 IST - Sun Mar 19 2017 15:53:50 IST


Final Result

srcCountry    
srcCity
Count
Japan
Tokyo
1


Thanks


Conclusion

Below table shows the country and city from where the lost / stolen device accessed with mac address "35:6e:5e:de:b5:61"

srcCountry    
srcCity
Count
Japan
Tokyo
1



6. Comparing too many open connection to application server from current time window to previous time window

Usecase

Compare current time window  with previous time window and get the list of  IP addresses  which has too many connections to an application server that passes threshold .  

     

Notification Types:  Email

   

User Inputs

Please find the below image for setting up alerts in Skedler-Alerts 



Notification received via Email

Hi,

Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 14:10:45 IST


Time Window - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 IST


Data generated from Mon Mar 20 2017 15:55:00 IST to Mon Mar 27 2017 15:55:00 IST

srcIp
ServiceType
count
113.216.114.191
Tcp
35
18.21.09.1
http
12


Data generated from Mon Mar 13 2017 15:55:00 IST to Mon Mar 20 2017 15:55:00 IST

srcIp
ServiceType
count
113.216.114.191
Tcp
16


Final Result

srcIp
ServiceType
Current Time Window count
Condition
Previous Time Window Count
113.216.114.191
Tcp
35    
2 times more than
16


Thanks    


Explanation

Parameters configured will be replaced as follows:

  1. ${AlertName}       -   Too many Open Connection
  2. ${TimeStamp}      -  19-03-2017 14:10:45
  3. ${TimeWindow} - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST

Note - For additional parameters, refer How to setup merge parameters for alert action?


Conclusion

 Below table shows the list of ip addresses which passes the threshold value 10 and is ts 2 times more than the current time window to previous time window


srcIp
ServiceType
Current Time Window count
Condition
Previous Time Window Count
113.216.114.191
Tcp
35    
2 times more than
16


References