1) Possible port scanning  :

Use case :

    Sending notifications when there is too many SYN connections per minute(which may be a sign of port scanning), which is identified a by a field "curState". 

    The desktop computers are identified by the keyword “DESKTOP” contained in the computer name provided by DNS lookup, which will be in a field called "srcHostame"

    

    Need to notify the user

           1) If there is a SYN connections more than 50 in 15 minutes

           2) notify users with the list of hosts /source IPs  and the no of request they sent in 15 minutes (for eg here source hostname is identified by the field "srcHostname"

           3) send the selected payload event fields as parameter


Notification Types :

               Webhook

    

User Inputs:
   

Please find the below image for setting up alerts in Skedler-Alerts 


     

   

Notification received via Web-hook :

    

you will be receiving the alert in web-hook as below  

 

    


Explanation :

 

Parameters : 


1. message :


 "message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 GMT+0530 (IST) - Thu Aug 03 2017 11:01:05 GMT+0530 (IST) \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   Possible port scanning
  2. ${TimeStamp}      -  27-03-2017 10:38:15
  3. ${TimeWindow}    -  Mon Mar 27 2017 10:37:15 GMT+0530 (IST) - Mon Mar 27 2017 10:38:15 GMT+0530
  4. ${Result}   - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]

2. data: [ ]


3. payload: 

       


[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]




Conclusion:

      Table below shows the list of SYN connection more than 50

 

srcHostname
Count
DESKTOP - nigel
63
DESKTOP - adrien
82
DESKTOP - allene
55



2) Unauthorized access attempt to a secure server :


 Sending notifications when there is any unauthorized access attempt to access a restricted application on a server, which is identified a by a field "AuthorizationStatus" with keyword "NotAuthorized". Restricted Application name will be identified by the field "app".


 Need to notify the user with number of unauthorized users count in 15 minutes


Notification Types :

               Email


User Inputs:
   

Please find the below image for setting up alerts in Skedler-Alerts    





Notification received via Email :



Hi,

Alert has been triggered for alert Unauthorized access attempt on 27-03-2017 11:11:00


Time Window -   Mon Mar 27 2017 10:51:45 GMT+0530 - Mon Mar 27 2017 11:11:00 GMT+0530 (IST)  



Number of Unauthorized users count -

 

app
count
Skedler-Reports
10
Microstrategy
8
Power BI
9
BI Connector
6
Skedler-Alerts
12


 Thanks    


Notification received via email attachment :


Selected fields app, AuthorizationStatus  will be send in the attachment


[{
    "payload_result1": {
      "total": 4917,
      "max_score": null,
      "hits": [
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hv",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524102729
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mo",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524080521
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_0",
          "_type": "connection",
          "_id": "AV2ZzvbanjJK2YYnw8sH",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524078548
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hu",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524040716
          ]
        },
        {
          "_index": ".data_2017_7_31_23_30_30",
          "_type": "connection",
          "_id": "AV2ZzZTUnjJK2YYnw77F",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524020598
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83D",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523996465
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83F",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523994484
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_30",
          "_type": "connection",
          "_id": "AV2Zz2znnjJK2YYnw88y",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523950014
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_0",
          "_type": "connection",
          "_id": "AV2ZzgucnjJK2YYnw8LS",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523926079
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mn",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523917765
          ]
        }
      ]
    },
    "aggregations_result1": {
      "app": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "BI Connector",
            "doc_count": 1025
          },
          {
            "key": "Power BI",
            "doc_count": 1010
          },
          {
            "key": "Skedler-Alerts",
            "doc_count": 964
          },
          {
            "key": "Microstrategy",
            "doc_count": 959
          },
          {
            "key": "Skedler-Reports",
            "doc_count": 959
          }
        ]
      }
    }
  }
]


  


Explanation:

 

Parameters configured will be replaced as follows:

  1. ${AlertName}       -  Unauthorized access attempt
  2. ${TimeStamp}      -  23-01-2017 11:11:00
  3. ${TimeWindow}  - Mon Mar 27 2017 10:51:45 GMT+0530 - Mon Mar 27 2017 11:11:00 GMT+0530 (IST) - 

 

Conclusion :

            Below are the list of applications having “AuthorizationStatus” with custom tagging "NotAuthorized".


 

app
count
Skedler-Reports
10
Microstrategy
8
Power BI
9
BI Connector
6
Skedler-Alerts
12



3) Too many open connection to application server :


Use case :

    Sending notifications when there is too many connections from IP address to an application server which passes threshold value in a given period of time.  IP addresses,application server are identified a by fields "srcIp", "app". For eg: Alert if more than 10 connections from an IP address in 15 minutes

       


Notification Types :

               Email  & Webhook

   

User Inputs:
   

Please find the below image for setting up alerts in Skedler-Alerts 


  



Notification received via Email :


Hi,

Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 14:10:45


Time Window - Mon Mar 27 2017 13:55:45 GMT+0530 - Mon Mar 27 2017 14:10:45 GMT+0530 (IST)


Final Result


srcIp
app Count
191.199.241.108
BI Connector 21
232.66.107.147
Skedler - Reports 20
47.37.62.5
Skedler-Alerts 14


 Thanks    

  


     


Notification received via Web-hook :

    

you will be receiving the alert in web-hook as below  



       


Explanation:



Parameters : 


1. message :


 "message": "Hi,\n Alert has been triggered for alert Too many Open Connection on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 GMT+0530 (IST) - Thu Aug 03 2017 11:01:05 GMT+0530 (IST) \n [{\"srcIp\":\"191.199.241.108\",\"app\":\"BI Connector\",\"value\":21},{"\srcIp\":\"232.66.107.147\",\"app\":\"Skedler-Reports\",\"value\":20},{\"srcIp\":\"47.37.62.5\",\"app\":\"Skedler-Alerts\",\"value\":14}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   Too many Open Connection
  2. ${TimeStamp}      -  19-03-2017 14:10:45
  3. ${TimeWindow} - Mon Mar 27 2017 13:55:45 GMT+0530 - Mon Mar 27 2017 14:10:45 GMT+0530 (IST)
  4. ${Result}   -[{"srcIp":"191.199.241.108","app":"BI Connector","value":21},{"srcIp":"232.66.107.147","app":"Skedler-Reports","value":20},{"srcIp":"47.37.62.5","app":"Skedler-Alerts","value":14}]


2. data: [ ]


          

Conclusion :

             Below table shows the list of ip addresses which passes the threshold value 10



srcIp
app Count
191.199.241.108
BI Connector 21
232.66.107.147
Skedler - Reports 20
47.37.62.5
Skedler-Alerts 14



4) DDOS attack warning :


Use case :

   Alert when total number of connections in any state to a specific network service (as defined by the TCP port “domain”) pass a threshold in a given period of time. domain, service type are identified a by a field "srcdomain" , "serviceType" respectively. 

        

    Need to notify the user with domain and service type which passes the threshold value 100


Notification Types :

               Webhook


User Inputs:
   

Please find the below image for setting up alerts in Skedler-Alerts 





Notification received via Web-hook :

    

you will be receiving the alert in web-hook as below 



Explanation:



Parameters : 


1. message :


"message": "Hi,\n Alert has been triggered for alert  DDOS attack warning on 03-08-2017 11:22:04 \n Wed Aug 03 2016 11:22:04 GMT+0530 (IST) - Thu Aug 03 2017 11:22:04 GMT+0530 (IST) \n  [{\"srcDomain\":\"aron.name\",\"serviceType\":\"tcp\",\"value\":12},{\"srcDomain\":\"georgiana.net\",\"serviceType\":\"http\",\"value\":312},{\"srcDomain\":\"lou.biz\",\"serviceType\":\"https\",\"value\":111}] \nThanks"


Replaced parameters 

  1. ${AlertName}       -   DDOS attack warning
  2. ${TimeStamp}      -  19-03-2017 15:02:30
  3. ${TimeWindow} - Mon Mar 27 2017 14:47:45 GMT+0530 - Mon Mar 27 2017 15:02:45 GMT+0530 (IST)
  4. ${Result}   - [{"srcDomain":"aron.name","serviceType":"tcp","value":12},{"srcDomain":"georgiana.net","serviceType":"http","value":312},{"srcDomain":"lou.biz","serviceType":"https","value":111}]


2. data: [ ]

             

 

Conclusion :

             Below table shows the list of domain and service type which passes the threshold value 100


srcDomain serviceType
count
aron.name
tcp 21
georgiana.net
http 20
lou.biz
https 14


5) Lost/Stolen Device :

      When there is any access from lost/stolen device with a Mac address say "35:6e:5e:de:b5:61", which provides the lost/stolen device's country and city location.  Mac address, country, city are identified  by the fields "srcMac", "srcCountry","srcCity" respectively. 


 Need to notify the user with country and city of the stolen device location.


Notification Types :

               Email


User Inputs:
   

Please find the below image for setting up alerts in Skedler-Alerts


    


Notification received via Email :


Hi,

Alert has been triggered for alert Lost-stolen Device on 19-03-2017 15:53:50


Time Window - Sun Mar 19 2017 14:53:50 GMT+0530 - Sun Mar 19 2017 15:53:50 GMT+0530 (IST)


Final Result



srcCountry    
srcCity Count
Japan Tokyo 1


 Thanks    



Conclusion :

             Below table shows the country and city from where the lost / stolen device accessed with mac address "35:6e:5e:de:b5:61"


srcCountry    
srcCity Count
Japan Tokyo 1



6) Comparing too many open connection to application server from current time window to previous time window:


Use case :

    Compare current time window  with previous time window and get the list of  IP addresses  which has too many connections to an application server that passes threshold .  

       


Notification Types :

               Email

   

User Inputs:
   

Please find the below image for setting up alerts in Skedler-Alerts 




Notification received via Email :


Hi,

Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 14:10:45


Time Window - Mon Mar 27 2017 13:55:45 GMT+0530 - Mon Mar 27 2017 14:10:45 GMT+0530 (IST)


Final Result


Data generated from Mon Mar 20 2017 15:55:00 GMT+0530 (IST) to Mon Mar 27 2017 15:55:00 GMT+0530 (IST)

srcIp ServiceType count
113.216.114.191 Tcp 35
18.21.09.1
http 12


Data generated from Mon Mar 13 2017 15:55:00 GMT+0530 (IST) to Mon Mar 20 2017 15:55:00 GMT+0530 (IST)

srcIp ServiceType
count
113.216.114.191 Tcp
16


Final Result

srcIp ServiceType
Current Time Window count Condition Previous Time Window Count
113.216.114.191 Tcp
35     2 times more than 16


Thanks    


Explanation:

 

Parameters configured will be replaced as follows:


  1. ${AlertName}       -   Too many Open Connection
  2. ${TimeStamp}      -  19-03-2017 14:10:45
  3. ${TimeWindow} - Mon Mar 27 2017 13:55:45 GMT+0530 - Mon Mar 27 2017 14:10:45 GMT+0530 (IST)


Conclusion :

           Below table shows the list of ip addresses which passes the threshold value 10 and is ts 2 times more than the current time window to previous time window


srcIp ServiceType
Current Time Window count Condition
Previous Time Window Count
113.216.114.191 Tcp
35     2 times more than
16