Which Event Data to Use?

Question

I am looking for some general guidelines or pointers on how to best determine which Even Fields from the Event & Event Groups to use when building nDepth queries and correlation rules?  I find I often spend a lot of time trying to figure this out and have come to the conclusion that there has got to be a better way.

Thanks in advance for any suggestions!

FormerMember · Answer

Yeah, effectively, it's just really helpful to have an example to start from, otherwise you kind of feel "chicken and egg" on what you're doing. As you learn the taxonomy you can begin to figure out how events get normalized in a pretty standard way, but there's still 300 of them to choose from, plus all of their fields.

We also have the "combined" fields in nDepth that might help - User Name and IP Address. These fields search across those value in any field they might appear in - for example, with IP Address, it will search source, destination, insertion IP, detection IP, across any events where those might occur.

You can also do a basic text search (not with fields) but it'll generally be a slower operation since it has to search the entire index.

byrona · Answer

I talked with Support about this and their suggestions were as follows...

Start with Event Group/Any Alert

Use Tool Alias and Detection or Insertion IP

These will help you narrow your search; from here you can target in on more specific fields.

byrona · Answer

Somebody.... anybody...?