1.Possible port scanning

Usecase

Sending notifications when there are too many SYN connections per minute(which may be a sign of port scanning), which is identified a by a field "curState". 

The desktop computers are identified by the keyword “DESKTOP” contained in the computer name provided by DNS lookup, which will be in a field called "srcHostame"

    Need to notify the user

           1) If there are an SYN connections more than 50 in 15 minutes

           2) notify users with the list of hosts /source IPs  and the no of request they sent in 15 minutes (for eg here source hostname is identified by the field "srcHostname"

           3) send the selected payload event fields as parameter

Notification Types:  Webhook

User Inputs

You can setup the alerts in Skedler-Alert as given below,

You will receive an alert in web-hook as shown below,

Notification received via Web-hook

Explanation on Parameters:

1. message:

 "message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 IST - Thu Aug 03 2017 11:01:05 IST \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"

Replaced parameters 

1. ${AlertName}       -   Possible port scanning
2. ${TimeStamp}      -  27-03-2017 10:38:15
3. ${TimeWindow}    -  Mon Mar 27 2017 10:37:15 IST - Mon Mar 27 2017 10:38:15 IST
4. ${Result}   - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]

2. data: [ ]

3. payload: 

[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]

Note - For additional parameters, refer How to setup merge parameters for alert action?

Explanation on Parameters:

1. message :

 "message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 GMT+0530 (IST) - Thu Aug 03 2017 11:01:05 GMT+0530 (IST) \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"

Replaced parameters 

1. ${AlertName}       -   Possible port scanning
2. ${TimeStamp}      -  27-03-2017 10:38:15
3. ${TimeWindow}    -  Mon Mar 27 2017 10:37:15 GMT+0530 (IST) - Mon Mar 27 2017 10:38:15 GMT+0530
4. ${Result}   - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]

2. data: [ ]

3. payload: 

[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]

Conclusion

Table below shows the list of SYN connection more than 50

2. Unauthorized access attempt to a secure server

Sending notifications when there is any unauthorized access attempt to access a restricted application on a server, which is identified a by a field "AuthorizationStatus" with the keyword "NotAuthorized". The restricted application name will be identified by the field "app".

Need to notify the user with number of unauthorized users count in 15 minutes

Notification Types: Email

User Inputs

You can set up the alerts in Skedler-Alert as given below, 

Notification received via Email

Hi,

Alert has been triggered for alert Unauthorized access attempt on 27-03-2017 11:11:00 IST

Time Window -   Mon Mar 27 2017 10:51:45 IST - Mon Mar 27 2017 11:11:00 IST  

Number of Unauthorized users count -

Thanks    

Notification received via email attachment

Selected fields app, AuthorizationStatus  will be sent in the attachment

[{
    "payload_result1": {
      "total": 4917,
      "max_score": null,
      "hits": [
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hv",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524102729
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mo",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524080521
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_0",
          "_type": "connection",
          "_id": "AV2ZzvbanjJK2YYnw8sH",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524078548
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hu",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524040716
          ]
        },
        {
          "_index": ".data_2017_7_31_23_30_30",
          "_type": "connection",
          "_id": "AV2ZzZTUnjJK2YYnw77F",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524020598
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83D",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523996465
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83F",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523994484
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_30",
          "_type": "connection",
          "_id": "AV2Zz2znnjJK2YYnw88y",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523950014
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_0",
          "_type": "connection",
          "_id": "AV2ZzgucnjJK2YYnw8LS",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523926079
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mn",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523917765
          ]
        }
      ]
    },
    "aggregations_result1": {
      "app": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "BI Connector",
            "doc_count": 1025
          },
          {
            "key": "Power BI",
            "doc_count": 1010
          },
          {
            "key": "Skedler-Alerts",
            "doc_count": 964
          },
          {
            "key": "Microstrategy",
            "doc_count": 959
          },
          {
            "key": "Skedler-Reports",
            "doc_count": 959
          }
        ]
      }
    }
  }
]

Explanation

Parameters configured will be replaced as follows:

1. ${AlertName}       -  Unauthorized access attempt
2. ${TimeStamp}      -  23-01-2017 11:11:00
3. ${TimeWindow}  - Mon Mar 27 2017 10:51:45 IST - Mon Mar 27 2017 11:11:00 IST

Note - For additional parameters, refer How to setup merge parameters for alert action?

Conclusion

Below is the list of applications having “AuthorizationStatus” with custom tagging "NotAuthorized"

3. Too many open connections to application server

Use Case 

Sending notifications when there are too many connections from IP address to an application server which passes threshold value in a given period of time.  IP addresses, application server are identified a by fields "srcIp", "app". For eg: Alert if more than 10 connections from an IP address in 15 minutes       

Notification Types:  Email  & Webhook

User Inputs

You can set up the alerts in Skedler-Alert as given below, 

Notification received via Email

Hi,

Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 14:10:45

Time Window - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST

Final Result

Thanks

Notification received via Web-hook

you will be receiving the alert in web-hook as below 

Explanation on Parameters:

1. message :

 "message": "Hi,\n Alert has been triggered for alert Too many Open Connection on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 IST - Thu Aug 03 2017 11:01:05 IST \n [{\"srcIp\":\"191.199.241.108\",\"app\":\"BI Connector\",\"value\":21},{"\srcIp\":\"232.66.107.147\",\"app\":\"Skedler-Reports\",\"value\":20},{\"srcIp\":\"47.37.62.5\",\"app\":\"Skedler-Alerts\",\"value\":14}] \nThanks"

Replaced parameters 

1. ${AlertName}       -   Too many Open Connection
2. ${TimeStamp}      -  19-03-2017 14:10:45
3. ${TimeWindow} - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST
4. ${Result}   -[{"srcIp":"191.199.241.108","app":"BI Connector","value":21},{"srcIp":"232.66.107.147","app":"Skedler-Reports","value":20},{"srcIp":"47.37.62.5","app":"Skedler-Alerts","value":14}]

2. data: [ ]

Note - For additional parameters, refer How to setup merge parameters for alert action?

Conclusion

 Below table shows the list of IP addresses which passes the threshold value 10

4. DDOS attack warning

Usecase

 Alert when a total number of connections in any state to a specific network service (as defined by the TCP port “domain”) pass a threshold in a given period of time. domain, service type is identified a by a field "srcdomain", "serviceType" respectively.         

  Need to notify the user of domain and service type which passes the threshold value 100

Notification Types:  Webhook

User Inputs

You can set up the alerts in Skedler-Alert as given below,

Notification received via Web-hook    

you will be receiving the alert in web-hook as below

Explanation on Parameters:

1. message :

"message": "Hi,\n Alert has been triggered for alert  DDOS attack warning on 03-08-2017 11:22:04 \n Wed Aug 03 2016 11:22:04 IST - Thu Aug 03 2017 11:22:04 IST \n  [{\"srcDomain\":\"aron.name\",\"serviceType\":\"tcp\",\"value\":12},{\"srcDomain\":\"georgiana.net\",\"serviceType\":\"http\",\"value\":312},{\"srcDomain\":\"lou.biz\",\"serviceType\":\"https\",\"value\":111}] \nThanks"

Replaced parameters 

1. ${AlertName}       -   DDOS attack warning
2. ${TimeStamp}      -  19-03-2017 15:02:30
3. ${TimeWindow} - Mon Mar 27 2017 14:47:45 IST - Mon Mar 27 2017 15:02:45 IST
4. ${Result}   - [{"srcDomain":"aron.name","serviceType":"tcp","value":12},{"srcDomain":"georgiana.net","serviceType":"http","value":312},{"srcDomain":"lou.biz","serviceType":"https","value":111}

2. data: [ ] 

Note - For additional parameters, refer How to setup merge parameters for alert action?

Conclusion

 Below table shows the list of domain and service type which passes the threshold value 100

5. Lost/Stolen Device

 When there is any access from lost/stolen device with a Mac address say "35:6e:5e:de:b5:61", which provides the lost/stolen device's country and city location.  Mac address, country, city are identified by the fields "srcMac", "srcCountry","srcCity" respectively. 

Need to notify the user of country and city of the stolen device location.

Notification Types: Email

User Inputs

You can set up the alerts in Skedler-Alert as given below, 

Notification received via Email

Hi,

Alert has been triggered for alert Lost-stolen Device on 19-03-2017 15:53:50 IST

Time Window - Sun Mar 19 2017 14:53:50 IST - Sun Mar 19 2017 15:53:50 IST

Final Result

Thanks

Conclusion

Below table shows the country and city from where the lost/stolen device accessed with mac address "35:6e:5e:de:b5:61"

References

• How to drill down to the root cause data from Alert notification?
• How to send slack notification in Skedler-Alerts?
• How to visualize drill down data in Alert History?