FAQ's

Assets

What are best practices for asset management?

The key to asset management is regular checks of your account. Once a week, look through your asset list and track/merge or open an incident on any untracked assets found. Doing this on a regular basis, will keep your asset list clean and tidy. See Assets for more recommendations and instructions.

What do I do if I see a suspicious untracked asset?

If you see an untracked asset that you believe should not be sending data to your network, the best way to investigate is to create a ticket directly from the untracked asset, naming Guardian as the owner. Once the ticket is created, an email is sent to the TRAC Team where they look for malicious activity.

Data Retention

What is cold storage?

As part of DefenseStorm’s data retention, we keep 90 days worth of searchable event data as live storage. Any event data after 90 days is considered cold storage. If you need data from cold storage any reason, such as auditing or investigative purposes, simply submit a request to DefenseStorm.

How do I request my data stored in cold storage?

Open a new Connect Support Ticket to DefenseStorm with the specific information regarding the data you wish to have restored. The specific information could simply be a date range, certain users within a date range, or even certain machines within a date range.

How long does it take to restore requested data?

The time frame for restoring cold data is dependent on how much data is requested and other network factors. Estimates are provided on a case-by-case basis after DefenseStorm has an opportunity to review all relevant and necessary details. This ensures accuracy and that your estimate is specific to you and your restore needs.

Elasticsearch Boolean Logic

Grouping is extremely important when using boolean logic in your queries because Elasticsearch, the underlying engine, doesn't behave exactly as expected. The implications are that you may miss something in a search or you may unintentionally exclude events if using classifiers.

In any classifier where there are OR terms and no parentheses, the way to read it is that any term touching an OR is optional. Whenever an OR is used, all the OR terms must be grouped in a set of parentheses. In certain cases this requires also parenthesizing the AND terms. See below for examples.

Classifier Rule -  (ThreatMatch Drop Denied)

  • app_name:"Cisco ASA" AND (Deny OR denied OR discarded) 

The following search would match anything:

  • app_name:"Cisco ASA"

To make the OR required the classifier rule should be written as:

  • app_name:"Cisco ASA" AND (Deny OR denied OR discarded)

Event Fields and Descriptions

Field Name

Description

Similar Fields

action

The action

taken_action

api_key

The DefenseStorm API key used to send the message. Usually one per DefenseStorm Virtual Machine. For Cloud integrations, a unique ID per integration.


bytes



category

The type of the message, app_name dependent

type, subcategory, event_type, channel

connection_direction

DefenseStorm's best guess at whether or not this is an outbound, inbound, or internal connection


dest_port

Destination port


domain

The Windows domain associated with the request

user_domain, target_domain, account_domain, used_account_domain, caller_domain, group_domain, network_account_domain, ad_domain, subject_domain_name, new_account_domain, target_domain_name

endpoint_ip

All the IP addresses that could be considered on your network


event_id

The event ID (if any) associated with the event


file_hash

The MD5, SHA1, SHA256 or similar hash value of the file

hash

file_name

The name or path of the file associated with the event

file_path, src_file_name, dest_file_name, target_filename, old_file_path, new_file_path

geo_dest

Destination Geographic Information


geo_src

Source Geographic Information


group_name

The name of a group that the event invoked acts on


hostname

Usually the name for the machine sending the message.

src_hostname, dest_hostname, client_hostname, sensor_hostname, global_hostname, local_hostname, src_translated_hostname, dest_translated_hostname, real_hostname, map_hostname

http_host

The HTTP hostname of the HTTP request

dest_host

http_path

The HTTP path of the URI

path

http_url

The HTTP URI of the request

url

http_user_agent

The User Agent associated with the request

user_agent

image

The path to the executable being run

process, process_name, process_command_line

ingestion_timestamp

The actual time DefenseStorm received the message


ip_dest

Destination IP address


ip_foreign



ip_global



ip_local



ip_src

Source IP address


ip_type_dest

Private, Public, Reserved, or Multicast IP Address for Destination


ip_type_src

Private, Public, Reserved, or Multicast IP Address for Source


logon_type

The Windows logon type


mac_address

The MAC address for the event


message

A human readable description of the event

unparsed_message, expanded_message, short_message

protocol

Usually TCP or UDP

ip_protocol, layer6_protocol, layer7_protocol

received_bytes



sensor_ip

The IP address of the machine generating the message


sent_bytes



severity

NONE, LOW, MEDIUM, HIGH


src_port

Source port


timestamp

The time the message was allegedly generated

nx_timestamp, event_received_timestamp, creation_timestamp, logged_timestamp, registration_timestamp

total_bytes



user_name

The name of the user involved in the event

user, account_name, target_user_name, username, user_id, subject_user_name, new_account_name

unparsed_extended_messageThe windows event log messages may have a section Windows names "extended message”. The unparsed_extended_message is a specific windows event log message that contains sections of the long form windows event log message for which the DefenseStorm platform did not have specific matches (i.e. could not parse completely)unparsed_message

Input Token

What is an Input Token?

An input token is a system generated administrative user account created during the initial setup and configuration of DefenseStorm ground services. The system uses your email and password to create the tokens. The input token also contains the DefenseStorm Key and Secret; which may be necessary for some application integrations.

Click the Setting tab (gear icon) > Input Tokens 

YE202EFKM9AgotIEVxBvBLb4SJ6hw3jVcg.png

How does it relate?

The Input Token is how events are authenticated. You can use the aggregate feature to filter down your events to display which Input Token is generating the most events. The api_key filter name is the Input Token key.  

Login

What do I do after my user has been created?

When your User ID is set up in the console you receive an email with a link (or copy and paste the link into your browser) to complete the setup. This displays a field for your desired password.

I forgot my password

If you forget your password, follow these steps to set a new one.

STEP 1: Go to the https://console.defensestorm.com/#/login

STEP 2: Select “Forget your password?.”

STEP 3: Enter your email address and select Reset Password.

Preventing Automatic Logout

You can disable the inactivity timeout - then you’ll stay logged in for as long as the tab is open and your computer is awake.

Click the downarrow next to your name in the GRID UI and select to disable 'Inactivity Timeout'.

Sending Data to DefenseStorm

Log into the DVM box (via SSH, or through VM terminal method of choice), and select option #12, "Send Diagnostic Information" in the DVM menu (edited).

Supported Parsers

Parses displaying as bold are either new or have updated parser fields. 

  • AD Audit Plus
  • ADFS
  • ADTran
    • Switch (NetVanta)
  • Allied Telesis
  • ArubaOs
  • Barracuda
    • Barracuda SSL VPN
    • Web Security Gateway
  • Bit9
  • Bro Files
  • Carbon Black
    • CarbonBlackDefense (CBDefense)
    • Carbon Black Server 8.x (+ all previous versions)
  • Checkpoint
  • Cisco
    • 2504 Series
    • 4500 Series
    • 2921 Parser for IOS VoIP Router
    • Prime Parser
    • SourceFire
    • 9396 NXOS Core Router
    • Security
    • Identity Services Engine (ISE)
    • C2921 VoIP Gateway
    • Meraki
    • 9396 NXOS Core Router
    • 2960 Switch
    • Small Business Router (RV____ models)
  • Defensestorm Integrations Event Format (json parser)
  • DHCP NXLog Error
  • ESXi
  • F5 Load Balancers
  • FireEye
    • NX-Series
  • Fortigate
  • HP
    • ProCurve Switch
  • IBM
    • Proventia Server Intrusion Protection System
  • Infoblox DNS
  • Iprism Webfilter
  • IPS Syslog
  • iSensor Message
  • Juniper
    • NetScreen
  • PulseSecure VPN
    • Switch
    • Firewall
  • McAfee
    • Epo
    • Web Filter
    • Web Gateway
  • Microsoft
    • IIS
  • Mojo Networks
  • NetFlow
  • Nimble Storage
  • PaloAlto
  • Proofpoint
  • Reactor
  • RSA Authentication Manager
  • Sentinel IPS
  • Shortel Logs
  • SNMP Trap
  • Snort
  • Software versions - Instead of showing up as IP addresses, the parser displays the actual software version.
  • SonicWall
    • Messages
    • Firewall
  • Sophos
    • Sophos Cloud Installer / AutoUpdater
    • Sophos XG Firewall
  • Suricata
  • Symantec
    • SEP
    • Server
  • Sysmon (8.0)
  • S3 Log Sources (defensestorm_event_source field)
  • TrendNet
    • Switch
  • VMware
    • ESXi / vSphere
    • vCenter
  • WebSense
    • Websense Email Gateway
  • WebTitan
  • Windows
    • ADFS Audit Logs
    • Windows Agent DHCP (flat-file) logs
    • Application Even Logs
      • Add-on Event Provider
    • Security Audit Logs
    • Events
    • Event Account Change
    • Exchange Server Audit Logs
    • QRadar

Task Schedule

When a task schedule has a query, what is the maximum number of events that are presented in the task? 100 is the maximum number of events displayed in the task.

Think your Network May be Compromised?

STEP 1: Disconnect the problem machine from your network

While we do not promote one solution over any other, we recommend using a sandbox solution to disconnect the host from the network. If none are available, disconnect the host from all network connections. This prevents the malware from spreading or calling home.

STEP 2: Delete any new files or programs that do not belong

New programs and files could contain malware. Deleting these newly installed programs or files could prevent the spread or increased severity of malware.

STEP 3: Re-image the machine

After uninstalling new programs and files, if you still see unsolicited calls outs or unusual application behavior and are still unsure that the malware was deleted, you can re-image the machine to remove any rootkits. *When a machine is re-imaged, user profiles need to be re-uploaded.

STEP 4: User Training

To reduce risk of malware infection, put the user through remedial training to ensure they understand malware and how it can spread. For example, spam emails, websites, contaminated drives, and it can even come pre-installed on some software packages.  

STEP 5: Continued Monitoring

After all the above steps have been completed, continue to monitor the host for a minimum of 7 days to look for unsolicited call outs.

Threat Sharing Sources

All threat sharing sources are used for anomaly detection and are found on the ThreatMatch page of your DefenseStorm console. You can subscribe or unsubscribe from each threat source individually. For more information on ThreatMatch, and how it works with your cybersecurity program, see Using ThreatMatch. AlienVault

  • Bambenek

  • CrimeTracker
  • DefenseStorm
  • DNS-BH
  • DShield
 
  • FS-ISAC
  • InfraGard
  • Malcode

  • MalwareDomains
  • OpenBL

  • Tor Exit Nodes

  • ZeuS Tracker

Upgrading/Updating my DVM

How do I know when to upgrade my DVM?

DefenseStorm notifies you via Release Notes when there is a new version to be installed.

Am I Eligible to Upgrade Through the DVM?

Within your DVM Main Menu, select Option 8: Get DVM Status to see if a version number is displayed. If your version number does not display, please contact DefenseStorm for upgrade assistance.

How do I upgrade my DVM?

Once you have determined you are eligible to upgrade through the DVM main menu, see The DefenseStorm Virtual Machine for instructions.

How do I send logs from a configured DVM to a new organization/account?

In order to send logs to a new organization follow these steps:

  1. Log into the DVM using the console credentials 
  2. Log onto DVM and choose Option 1 on menu: "Set DefenseStorm Credentials" 
  3. Enter the credentials for the new Organization you want to which you wan to send the logs. 
  4. Because the DVM is already configured,  it will ask you to confirm to re-enter your credentials. 
  5.  Once the  new credentials are entered, the DVM will re-configure itself to send logs to the appropriate account. 

Windows Audit Log Recommendations 

Within the Windows Operating system, there are audit logs that can be configured to track success or failure of certain events. For example, once audit logs are activated for logon attempts, you can choose to track if a logon attempt is successful, if it fails, or both. Our TRAC Team has prepared examples for each option within the Windows Operating System to help send the most useful logs to your DefenseStorm DVM and reduce noise on your system. 

The following items can be monitored:

  • Changes to user account and resource permissions.
  • Failed attempts by users to log on.
  • Failed attempts to access resources.
  • Changes to system files. 

This link provides the PDF list of TRAC Recommendations.