What are best practices for asset management?
The key to asset management is regular checks of your account. Once a week, look through your asset list and track/merge or open an incident on any untracked assets found. Doing this on a regular basis, will keep your asset list clean and tidy. See Assets for more recommendations and instructions.
What do I do if I see a suspicious untracked asset?
If you see an untracked asset that you believe should not be sending data to your network, the best way to investigate is to create a ticket directly from the untracked asset, naming Guardian as the owner. Once the ticket is created, an email is sent to the TRAC Team where they look for malicious activity.
What is cold storage?
As part of DefenseStorm’s data retention, we keep 90 days worth of searchable event data as live storage. Any event data after 90 days is considered cold storage. If you need data from cold storage any reason, such as auditing or investigative purposes, simply submit a request to DefenseStorm.
How do I request my data stored in cold storage?
Open a new Connect Support Ticket to DefenseStorm with the specific information regarding the data you wish to have restored. The specific information could simply be a date range, certain users within a date range, or even certain machines within a date range.
How long does it take to restore requested data?
The time frame for restoring cold data is dependent on how much data is requested and other network factors. Estimates are provided on a case-by-case basis after DefenseStorm has an opportunity to review all relevant and necessary details. This ensures accuracy and that your estimate is specific to you and your restore needs.
Elasticsearch Boolean Logic
Grouping is extremely important when using boolean logic in your queries because Elasticsearch, the underlying engine, doesn't behave exactly as expected. The implications are that you may miss something in a search or you may unintentionally exclude events if using classifiers.
In any classifier where there are OR terms and no parentheses, the way to read it is that any term touching an OR is optional. Whenever an OR is used, all the OR terms must be grouped in a set of parentheses. In certain cases this requires also parenthesizing the AND terms. See below for examples.
Classifier Rule - (ThreatMatch Drop Denied)
- app_name:"Cisco ASA" AND (Deny OR denied OR discarded)
The following search would match anything:
- app_name:"Cisco ASA"
To make the OR required the classifier rule should be written as:
- app_name:"Cisco ASA" AND (Deny OR denied OR discarded)
Event Fields and Descriptions
The DefenseStorm API key used to send the message. Usually one per DefenseStorm Virtual Machine. For Cloud integrations, a unique ID per integration.
The type of the message, app_name dependent
type, subcategory, event_type, channel
DefenseStorm's best guess at whether or not this is an outbound, inbound, or internal connection
The Windows domain associated with the request
user_domain, target_domain, account_domain, used_account_domain, caller_domain, group_domain, network_account_domain, ad_domain, subject_domain_name, new_account_domain, target_domain_name
All the IP addresses that could be considered on your network
The event ID (if any) associated with the event
The MD5, SHA1, SHA256 or similar hash value of the file
The name or path of the file associated with the event
file_path, src_file_name, dest_file_name, target_filename, old_file_path, new_file_path
Destination Geographic Information
Source Geographic Information
The name of a group that the event invoked acts on
Usually the name for the machine sending the message.
src_hostname, dest_hostname, client_hostname, sensor_hostname, global_hostname, local_hostname, src_translated_hostname, dest_translated_hostname, real_hostname, map_hostname
The HTTP hostname of the HTTP request
The HTTP path of the URI
The HTTP URI of the request
The User Agent associated with the request
The path to the executable being run
process, process_name, process_command_line
The actual time DefenseStorm received the message
Destination IP address
Source IP address
Private, Public, Reserved, or Multicast IP Address for Destination
Private, Public, Reserved, or Multicast IP Address for Source
The Windows logon type
The MAC address for the event
A human readable description of the event
unparsed_message, expanded_message, short_message
Usually TCP or UDP
ip_protocol, layer6_protocol, layer7_protocol
The IP address of the machine generating the message
NONE, LOW, MEDIUM, HIGH
The time the message was allegedly generated
nx_timestamp, event_received_timestamp, creation_timestamp, logged_timestamp, registration_timestamp
The name of the user involved in the event
user, account_name, target_user_name, username, user_id, subject_user_name, new_account_name
|unparsed_extended_message||The windows event log messages may have a section Windows names "extended message”. The unparsed_extended_message is a specific windows event log message that contains sections of the long form windows event log message for which the DefenseStorm platform did not have specific matches (i.e. could not parse completely)||unparsed_message|
What is an Input Token?
An input token is a system generated administrative user account created during the initial setup and configuration of DefenseStorm ground services. The system uses your email and password to create the tokens. The input token also contains the DefenseStorm Key and Secret; which may be necessary for some application integrations.
Click the Setting tab (gear icon) > Input Tokens
How does it relate?
The Input Token is how events are authenticated. You can use the aggregate feature to filter down your events to display which Input Token is generating the most events. The api_key filter name is the Input Token key.
What do I do after my user has been created?
When your User ID is set up in the console you receive an email with a link (or copy and paste the link into your browser) to complete the setup. This displays a field for your desired password.
I forgot my password
If you forget your password, follow these steps to set a new one.
STEP 1: Go to the https://console.defensestorm.com/#/login
STEP 2: Select “Forget your password?.”
STEP 3: Enter your email address and select Reset Password.
Preventing Automatic Logout
You can disable the inactivity timeout - then you’ll stay logged in for as long as the tab is open and your computer is awake.
Click the downarrow next to your name in the GRID UI and select to disable 'Inactivity Timeout'.
Sending Data to DefenseStorm
Log into the DVM box (via SSH, or through VM terminal method of choice), and select option #12, "Send Diagnostic Information" in the DVM menu (edited).
Parses displaying as bold are either new or have updated parser fields.
- AD Audit Plus
- Switch (NetVanta)
- Allied Telesis
- Barracuda SSL VPN
- Web Security Gateway
- Bro Files
- supported log file list is: conn, dhcp, dns, dpd, files, ftp, http, notice, smtp, software, ssh, ssl, syslog, tunnels, weird, snmp, x509. Full Bro log list: https://www.bro.org/sphinx/script-reference/log-files.html.
- Carbon Black
- CarbonBlackDefense (CBDefense)
- Carbon Black Server 8.x (+ all previous versions)
- 2504 Series
- 4500 Series
- 2921 Parser for IOS VoIP Router
- Prime Parser
- 9396 NXOS Core Router
- Identity Services Engine (ISE)
- C2921 VoIP Gateway
- 9396 NXOS Core Router
- 2960 Switch
- Small Business Router (RV____ models)
- Defensestorm Integrations Event Format (json parser)
- DHCP NXLog Error
- F5 Load Balancers
- ProCurve Switch
- Proventia Server Intrusion Protection System
- Infoblox DNS
- Iprism Webfilter
- IPS Syslog
- iSensor Message
- PulseSecure VPN
- Web Filter
- Web Gateway
- Mojo Networks
- Nimble Storage
- RSA Authentication Manager
- Sentinel IPS
- Shortel Logs
- SNMP Trap
- Software versions - Instead of showing up as IP addresses, the parser displays the actual software version.
- Sophos Cloud Installer / AutoUpdater
- Sophos XG Firewall
- Sysmon (8.0)
- S3 Log Sources (defensestorm_event_source field)
- ESXi / vSphere
- Websense Email Gateway
- ADFS Audit Logs
- Windows Agent DHCP (flat-file) logs
- Application Even Logs
- Add-on Event Provider
- Security Audit Logs
- Event Account Change
- Exchange Server Audit Logs
When a task schedule has a query, what is the maximum number of events that are presented in the task? 100 is the maximum number of events displayed in the task.
Think your Network May be Compromised?
STEP 1: Disconnect the problem machine from your network
While we do not promote one solution over any other, we recommend using a sandbox solution to disconnect the host from the network. If none are available, disconnect the host from all network connections. This prevents the malware from spreading or calling home.
STEP 2: Delete any new files or programs that do not belong
New programs and files could contain malware. Deleting these newly installed programs or files could prevent the spread or increased severity of malware.
STEP 3: Re-image the machine
After uninstalling new programs and files, if you still see unsolicited calls outs or unusual application behavior and are still unsure that the malware was deleted, you can re-image the machine to remove any rootkits. *When a machine is re-imaged, user profiles need to be re-uploaded.
STEP 4: User Training
To reduce risk of malware infection, put the user through remedial training to ensure they understand malware and how it can spread. For example, spam emails, websites, contaminated drives, and it can even come pre-installed on some software packages.
STEP 5: Continued Monitoring
After all the above steps have been completed, continue to monitor the host for a minimum of 7 days to look for unsolicited call outs.
Threat Sharing Sources
All threat sharing sources are used for anomaly detection and are found on the ThreatMatch page of your DefenseStorm console. You can subscribe or unsubscribe from each threat source individually. For more information on ThreatMatch, and how it works with your cybersecurity program, see Using ThreatMatch. AlienVault
- Tor Exit Nodes
- ZeuS Tracker
Upgrading/Updating my DVM
How do I know when to upgrade my DVM?
DefenseStorm notifies you via Release Notes when there is a new version to be installed.
Am I Eligible to Upgrade Through the DVM?
Within your DVM Main Menu, select Option 8: Get DVM Status to see if a version number is displayed. If your version number does not display, please contact DefenseStorm for upgrade assistance.
How do I upgrade my DVM?
Once you have determined you are eligible to upgrade through the DVM main menu, see The DefenseStorm Virtual Machine for instructions.
How do I send logs from a configured DVM to a new organization/account?
In order to send logs to a new organization follow these steps:
- Log into the DVM using the console credentials
- Log onto DVM and choose Option 1 on menu: "Set DefenseStorm Credentials"
- Enter the credentials for the new Organization you want to which you wan to send the logs.
- Because the DVM is already configured, it will ask you to confirm to re-enter your credentials.
- Once the new credentials are entered, the DVM will re-configure itself to send logs to the appropriate account.
Windows Audit Log Recommendations
Within the Windows Operating system, there are audit logs that can be configured to track success or failure of certain events. For example, once audit logs are activated for logon attempts, you can choose to track if a logon attempt is successful, if it fails, or both. Our TRAC Team has prepared examples for each option within the Windows Operating System to help send the most useful logs to your DefenseStorm DVM and reduce noise on your system.
The following items can be monitored:
- Changes to user account and resource permissions.
- Failed attempts by users to log on.
- Failed attempts to access resources.
- Changes to system files.
This link provides the PDF list of TRAC Recommendations.