AnsweredAssumed Answered

Investigating an alert, need help with additional meta

Question asked by Jeremy Kerwin on Aug 21, 2019
Latest reply on Aug 22, 2019 by Chris Thomas

Here is my situation. I have a feed from a commercial threat intel provider that matches IPs and domains to threat actors.

I'm in the investigate module, investigating an alert on a dst.ip address that is alerting to a particular threat group, let's say APT1. The source of the event is from the firewall stating that the proxy server is connecting to the dst.ip

 

From local knowledge, I know the src.ip is the proxy server. the proxy server is generating logs to NetWitness but there is no connection between the src.ip and hostname of the proxy server. What I mean is that when I click on the alert for APT1, I see the firewall log entry stating that src.ip (proxy) connected to dst.ip (threat ioc) on port 443 but there is no corresponding proxy log as well.

What would be a way to join, connect, pivot (whatever the correct term) the proxy log data with the firewall data?

I don't think the proxy log is sending the src.ip, just the hostname or otherwise I'd assume I'd see that connection.

 

I'm going to assume the correct answer (correct me if I'm wrong) that I need to generate some common meta between the two to be able join the two together. If that's the case, would it be with a list in context hub, or a custom feed that has the ip and hostname of the proxy server or maybe some app rules to be able to get that connection.

 

Hope that makes sense, thanks for the help.

Outcomes