ATH Example: Half-Opened Sessions
We will create a threat hunting playbook that looks for a device with too many half-opened sessions in a short period of time.
Configure the Alert
We want an alert that runs a query every 30 minutes on the Traffic index.
To configure the alert:
-
Click Respond | Automation.
-
Click the Create button to add a playbook.
-
Enter a name for the playbook. We entered Too Many Half-Opened Sessions.
-
Set the Schedule type to interval.
-
Set it to run every 30 minutes over all selected tenants.
-
Choose the tenants and tenant groups on which to run. We chose All Tenants.
-
Set the index to Traffic.
-
Leave the Rule Type as Query.
Build a Query
We want a query that looks for a state of half-opened, but limits the number of source IP addresses to 1,000.
To build the query:
-
Click New Query. The screen changes to Build a Query.
-
Enter a Query Name. We entered Half-Opened State.
-
Click Add Condition.
-
Enter state in the Field.
-
Leave the Operator as is.
-
Enter HalfOpened for the argument.
-
Click the toggle for Calculations .
-
Click to add a calculation.
-
Enter a Name for the calculation. We entered Top List.
-
Leave the Calculation type as Top.
-
Choose srcip as the Field to calculate on.
-
Leave the Calculation By as count.
-
Set the Size to 1000.
-
Click Save to save the query. The screen changes to display the saved query in Domain Specific Language (DSL).
Configure a Condition
We want a condition that triggers our actions if there are 3 or more results for our query.
To configure this condition:
-
Enter a Condition Name. We entered More Than 3.
-
Select Compare List for the Type.
-
Set the Comparison to At least one, Result counts of Top List, is greater than or equal to, and 3.
Configure Actions
You can configure any number of actions to take place if your playbook gets the specified number of hits. Remember to set the Trigger on condition to the condition you created (which is automatically selected). In this example, that's More Than 3.
See Configure Actions for details on configuring each type of action.
Save & Run the Playbook
Click Submit to save and immediately run the playbook. Your new playbook is displayed in the playbook list.