Hi Nick,
Thank you for putting time into this example. I am beginning to suspect the only thing that you and others on the list are worried about is kryptonite. Thanks for your help, Tom. From: Nick Allen <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, January 28, 2020 at 8:15 AM To: "[email protected]" <[email protected]> Subject: Re: Stellar and distinct count Hi Tom - > If the login points are geographic outliers, then: > - Check if there is more than two distinct IP addresses that the person has > used; and > - If there are more than two distinct IP addresses, increase the score. I believe you could do something like the following. This would touch Enrichments, the Profiler, and Threat Triage. (I) Enrichments We need to create some enrichments that define what a geographic outlier is and assigns a username to each IP address. 1. Create an enrichment that marks geographic outliers. For example, geo_outlier = true. 2. Create an enrichment that assigns a username. For example, username = tyerex. After Enrichment, you have some telemetry that looks something like this. { "source.type": "toms-ip-feed", "ip_addr": "a.b.c.d", "geo_outlier": "true", "username": "tyerex", .. } (II) Profiler Create a Profile that counts the number of distinct IP addresses for each user. Here we can use the Profiler along with a data sketch, specifically HLLP. This kind of discount count is similar to Example 3 in the documentation [1]. { "profile": "disinct-ip-by-user", "onlyif": "source.type == 'toms-ip-feed' and geo_outlier == true", "foreach": "username", "update": { "ips": "HLLP_ADD(ips, ip_addr)" }, "result": { "triage": { "ip_count": "HLLP_CARDINALITY(ips)", } } We are going to use the "triage" functionality so that the output of the Profiler goes to Threat Triage. The Profiler will produce a message that is sent to the 'enrichments' topic and thus Enrichment and Threat Triage. The message coming out of the Profiler will look something like this. { "ip_count": "7", "source.type": "profiler", "profile": "disinct-ip-by-user", "entity": "tyerex", "period": 1234456, "period.start": 1426349294842, "period.end": 1426350194842, "timestamp": 1426350199232, "is_alert": true } (III) Threat Triage Now create a set of threat triage rules that score this new source of telemetry coming from the Profiler. The 'entity' field will contain the username and the 'ip_count' field will contain the distinct count of IP addresses for each user. Hope this helps spark some ideas about how you might implement your use case. [1] https://metron.apache.org/current-book/metron-analytics/metron-profiler-common/index.html#Examples On Wed, Jan 15, 2020 at 5:39 PM Yerex, Tom <[email protected]> wrote: Good afternoon, We are working on enhancements from the geographic login outliers from hxxps://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html. The original solution works very well, thank you to those who put in the work creating documentation, developing Stellar, and of course Metron. A common scenario that frustrates us is when someone uses a VPN service. The use of VPN services is common to certain geographic regions and this type of activity usually shows up as someone connecting from two diverse geographic locations using the same two IP addresses (one for home and the other using a VPN). I would like to enhance the original example with something that roughly does this: If the login points are geographic outliers, then: - Check if there is more than two distinct IP addresses that the person has used; and - If there are more than two distinct IP addresses, increase the score. The idea is to adjust the score based on the number of IP address access points so we prioritize our focus on someone using 20 different IP addresses rather than someone only using two. If someone has another approach, I would appreciate any guidance. For now, I'm digging into Stellar syntax to see if we can figure out a solution there. Thank you, Tom.
smime.p7s
Description: S/MIME cryptographic signature
