Once you get past the quick-win stage what's next? Much of the difficulty in threat hunting lies in the sheer volume of data. Once you've monitored everything you need to reconstruct an attack it can quickly become beyond what you can effectively do. One of the most important things you can do to cut through the noise is to utilize a whitelist in your monitoring system for known good or known normal activity. These events will still exist when you need them but will not remind you. Much of the difficulty with threat hunting lies in the sheer volume of data analysis and whitelisting that you can leverage for server environments or have known rows using the segmentation discussed in my previous blog post.
Build profiles for normal activity for other devices. This gives you a quick Germany Email Database overview of any unusual requests from these environments. Start with a summary view of the traffic in your environment, such as the Summary Dashboard. I'll walk you through how I adapted this data for effective monitoring in one of our environments so that you can apply the same techniques to yours. This is a lab environment so there are some immediate things to check. Non-US TLDs are always suspicious unless they are used for a known commercial purpose. This is a great quick win.
Elements can be monitored with additional suffixes to suit your business needs. This is just a default. Summarized requests to view overall traffic You can build a quick custom overview to see how much activity is happening in your internal domain, external public domain and any other local vs non-local resolution To build this you can use a matrix element with event ratio. You are matching a local known domain against the entire set of events with an event ratio matrix element to extract all other information You can use negative filtering in the same ratio element Negative filtering These are examples of filters you can create for a quick lookup.
|手机版|小黑屋|五常同城
( 黑ICP备19004948号-4 )
发表于 2023-3-19 20:11:29
