What are best practices for asset management?
Once a week, look through your asset list and track/merge or open an incident on any untracked assets. Doing this on a regular basis keeps your asset list clean and tidy. See our Assets article for more recommendations and instructions.
What do I do if I see a suspicious untracked asset?
If you see an untracked asset that you believe should not be sending data to your network, the best way to investigate is to create a ticket directly from the untracked asset, naming
TRAC as the owner. Once the ticket is created, an email is sent to the TRAC Team where they look for malicious activity.
What is cold storage?
As part of DefenseStorm’s data retention, we keep 90 days worth of searchable event data as live storage. Any event data after 90 days is considered cold storage. If you need data from cold storage any reason, such as auditing or investigative purposes, simply submit a request to DefenseStorm.
How do I request my data stored in cold storage?
Open a new Connect Support Ticket to DefenseStorm with the specific information regarding the data you wish to have restored. The specific information could simply be a date range, certain users within a date range, or even certain machines within a date range.
How long does it take to restore requested data?
The time frame for restoring cold data is dependent on how much data is requested and other network factors. Estimates are provided on a case-by-case basis after DefenseStorm has an opportunity to review all relevant and necessary details. This ensures accuracy and that your estimate is specific to you and your restore needs.
Event Fields and Descriptions
The DefenseStorm API key used to send the message. Usually one per DefenseStorm Virtual Machine. For Cloud integrations, a unique ID per integration.
The type of the message, app_name dependent
type, subcategory, event_type, channel
DefenseStorm's best guess at whether or not this is an outbound, inbound, or internal connection
The Windows domain associated with the request
user_domain, target_domain, account_domain, used_account_domain, caller_domain, group_domain, network_account_domain, ad_domain, subject_domain_name, new_account_domain, target_domain_name
All the IP addresses that could be considered on your network
The event ID (if any) associated with the event
The MD5, SHA1, SHA256 or similar hash value of the file
The name or path of the file associated with the event
file_path, src_file_name, dest_file_name, target_filename, old_file_path, new_file_path
Destination Geographic Information
Source Geographic Information
The name of a group that the event invoked acts on
Usually the name for the machine sending the message.
src_hostname, dest_hostname, client_hostname, sensor_hostname, global_hostname, local_hostname, src_translated_hostname, dest_translated_hostname, real_hostname, map_hostname
The HTTP hostname of the HTTP request
The HTTP path of the URI
The HTTP URI of the request
The User Agent associated with the request
The path to the executable being run
process, process_name, process_command_line
The actual time DefenseStorm received the message
Destination IP address
Source IP address
Private, Public, Reserved, or Multicast IP Address for Destination
Private, Public, Reserved, or Multicast IP Address for Source
The Windows logon type
The MAC address for the event
A human readable description of the event
unparsed_message, expanded_message, short_message
Usually TCP or UDP
ip_protocol, layer6_protocol, layer7_protocol
The IP address of the machine generating the message
NONE, LOW, MEDIUM, HIGH
The time the message was allegedly generated
nx_timestamp, event_received_timestamp, creation_timestamp, logged_timestamp, registration_timestamp
The name of the user involved in the event
user, account_name, target_user_name, username, user_id, subject_user_name, new_account_name
|unparsed_extended_message||The windows event log messages may have a section Windows names "extended message”. The unparsed_extended_message is a specific windows event log message that contains sections of the long form windows event log message for which the DefenseStorm platform did not have specific matches (i.e. could not parse completely)||unparsed_message|
What is an Input Token?
An input token is a system generated administrative user account created during the initial setup and configuration of DefenseStorm ground services. The system uses your email and password to create the tokens. The input token also contains the DefenseStorm Key and Secret; which may be necessary for some application integrations.
Click the Setting tab (gear icon) > Input Tokens
How does it relate?
The Input Token is how events are authenticated. You can use the aggregate feature to filter down your events to display which Input Token is generating the most events. The api_key filter name is the Input Token key.
What do I do after my user has been created?
When your User ID is set up in the console you receive an email with a link (or copy and paste the link into your browser) to complete the setup. This displays a field for your desired password.
I forgot my password
If you forget your password, follow these steps to set a new one.
STEP 1: Go to the https://console.defensestorm.com/#/login
STEP 2: Select “Forget your password?.”
STEP 3: Enter your email address and select Reset Password.
Sending Data to DefenseStorm
Log into the DVM box (via SSH, or through VM terminal method of choice), and select option #12, "Send Diagnostic Information" in the DVM menu (edited).
Parsers displaying as bold are either new or have updated parser fields.
- AD Audit Plus
- Switch (NetVanta)
- Allied Telesis
- Barracuda SSL VPN
- Web Security Gateway
- Bro Files
- supported log file list is: conn, dhcp, dns, dpd, files, ftp, http, notice, smtp, software, ssh, ssl, syslog, tunnels, weird, snmp, x509. Full Bro log list: https://www.bro.org/sphinx/script-reference/log-files.html.
- Carbon Black
- CarbonBlackDefense (CBDefense)
- Carbon Black Server 8.x (+ all previous versions)
- 2504 Series
- 4500 Series
- 2921 Parser for IOS VoIP Router
- Prime Parser
- 9396 NXOS Core Router
- Identity Services Engine (ISE)
- C2921 VoIP Gateway
- 9396 NXOS Core Router
- 2960 Switch
- Small Business Router (RV____ models)
- SG series switches
- Defensestorm Integrations Event Format (json parser)
- DHCP NXLog Error
- Endian Firewall
- F5 Load Balancers
- ProCurve Switch
- Proventia Server Intrusion Protection System
- Infoblox DNS
- Iprism Webfilter
- IPS Syslog
- iSensor Message
- iSeries PowerTech Interact parser
- PulseSecure VPN
- Web Filter
- Web Gateway
- SQL Audit event for event_Id:33205
- Mojo Networks
- Nimble Storage
- Palo Alto Panorama
- Piledriver log parsing
- RSA Authentication Manager
- Sentinel IPS
- Shortel Logs
- SNMP Trap
- Software versions - Instead of showing up as IP addresses, the parser displays the actual software version.
- Sophos Cloud Installer / AutoUpdater
- Sophos XG Firewall
- Sysmon (8.0)
- S3 Log Sources (defensestorm_event_source field)
- Tipping Point IPS
- ESXi / vSphere
- NSX Firewall
- Websense Email Gateway
- ADFS Audit Logs
- Windows Agent DHCP (flat-file) logs
- Windows Agent parser to parse sensor_ip
- Application Event Logs
- Add-on Event Provider
- Application/MSIInstaller message
- Security Audit Logs
- Event Account Change
- Exchange Server Audit Logs
When a task schedule has a query, what is the maximum number of events that are presented in the task?
100 is the maximum number of events
Think your Network May be Compromised?
STEP 1: Disconnect the problem machine from your network
While we do not promote one solution over any other, we recommend using a sandbox solution to disconnect the host from the network. If none are available, disconnect the host from all network connections. This prevents the malware from spreading or calling home.
STEP 2: Delete any new files or programs that do not belong
New programs and files could contain malware. Deleting these newly installed programs or files could prevent the spread or increased severity of malware.
STEP 3: Re-image the machine
After uninstalling new programs and files, if you still see unsolicited calls outs or unusual application behavior and are still unsure that the malware was deleted, you can re-image the machine to remove any rootkits. *When a machine is re-imaged, user profiles need to be re-uploaded.
STEP 4: User Training
To reduce risk of malware infection, put the user through remedial training to ensure they understand malware and how it can spread. For example, spam emails, websites, contaminated drives, and it can even come pre-installed on some software packages.
STEP 5: Continued Monitoring
After all the above steps have been completed, continue to monitor the host for a minimum of 7 days to look for unsolicited call outs.
Threat Sharing Sources
All threat sharing sources are used for anomaly detection and are found on the ThreatMatch page of your DefenseStorm console. You can subscribe or unsubscribe from each threat source individually. For more information on ThreatMatch, and how it works with your cybersecurity program, see Using ThreatMatch.
- Tor Exit Nodes
- ZeuS Tracker
Upgrading/Updating my DVM
How do I know when to upgrade my DVM?
DefenseStorm notifies you via Release Notes when there is a new version to be installed.
How do I upgrade my DVM?
See The DefenseStorm Virtual Machine article for instructions.
How do I send logs from a configured DVM to a new organization/account?
In order to send logs to a new organization follow these steps:
- Log into the DVM using the console credentials
- Log onto DVM and choose Option 1 on menu: "Set DefenseStorm Credentials"
- Enter the credentials for the new Organization you want to which you wan to send the logs.
- Because the DVM is already configured, it will ask you to confirm to re-enter your credentials.
- Once the new credentials are entered, the DVM will re-configure itself to send logs to the appropriate account.
Windows Audit Log Recommendations
Within the Windows Operating system, there are audit logs that can be configured to track success or failure of certain events. For example, once audit logs are activated for logon attempts, you can choose to track if a logon attempt is successful, if it fails, or both. Our TRAC Team has prepared examples for each option within the Windows Operating System to help send the most useful logs to your DefenseStorm DVM and reduce noise on your system.
The following items can be monitored:
- Changes to user account and resource permissions.
- Failed attempts by users to log on.
- Failed attempts to access resources.
- Changes to system files.
This link provides the PDF list of TRAC Recommendations.