ATH Example: No Data From Sensor

We will create a threat hunting playbook that looks for a sensor that hasn't transmitted any data for 15 minutes.

Configure the Alert

We want an alert that runs a query every 5 minutes on the Monitoring index.

To configure the alert:

  1. Click Respond | Automation.

  2. Click the Create button to add a playbook.

  3. Enter a name for the playbook. We entered No Data From Sensor.

  4. Set the Schedule type to interval.

  5. Set it to run every 5 minutes over all selected tenants.

  6. Choose the tenants and tenant groups on which to run. We chose All Tenants.

  7. Set the index to Sensor Monitoring.

  8. Leave the Rule Type as Query.

Build a Query

We want a query that looks for no change in bytes transmitted from a specific sensor.

To build the query:

  1. Click New Query. The screen changes to Build a Query.

  2. Enter a Query Name. We entered Sensor Data Outbytes.

  3. Click Add Condition.

  4. Enter engid in the Field. This is the ID of the sensor.

  5. Leave the Operator as is.

  6. Enter the sensor ID for the Value.

  7. Click Add Condition.

  8. Enter out_bytes_delta in the Field.

  9. Leave the Operator as is.

  10. Enter 0 for the Value.

  11. Click Save to save the query. The screen changes to display the saved query in Domain Specific Language (DSL).

Configure a Condition

We want a condition that triggers our actions if there are 3 consecutive hits, indicating no change in data from the sensor for 15 minutes.

To configure this condition:

  1. Enter a Condition Name. We entered 3 Consecutive.

  2. Select Compare Value for the Type.

  3. Set the Comparison to Total Hits, is greater than or equal to, and 3.

Configure Actions

You can configure any number of actions to take place if your playbook gets the specified number of hits.

For our example we want an email:

  1. Choose the trigger condition you entered. Ours is Three Consecutive.

  2. Choose Email for the Type.

  3. Choose Recipients. To add a new recipient, see Adding a Recipient.

  4. Enter a Subject. We entered Sensor Down?.

  5. Set your Priority.

  6. Click in the check-box for Include Interflow if you want the Interflow included with the email.

  7. Enter your Email Body. We included a short sentence explaining why the recipient is getting the email.

See Configure Actions for details on configuring each type of action.

Save & Run the Playbook

Click Submit to save and immediately run the playbook. Your new playbook is displayed in the playbook list.