Skip to content
This repository has been archived by the owner on May 15, 2019. It is now read-only.

Threat Investigation

Jump to bottom
Everardo Lopez Sandoval edited this page Feb 29, 2016 · 21 revisions

Purpose and Audience

This section contains a walkthrough of the Threat Investigation analyst view. The intended audience is the person or persons who will be reviewing the results for potential threats.

  1. Log in to the analyst view for suspicious connects: http://"server-ip":8889/files/index_sconnects.html. Select the date that you want to review. Your view should now look like this:

Note: The analyst must score the suspicious connections before moving into Threat Investigation View, please refer to Suspicious Connects Analyst View walkthrough

  1. Select the option Threat Investigation from Open Network Insight Menu

  1. New web page will be opened Threat Investigation Jupyter Interface.

  1. Initialize and load Jupyter notebook. The fastest way is to select Run All from the Cell menu.

  1. Each code section generates information that will be used in the Story Board Module. The following section represents the code section description and the outputs generated:
  • In this module we can search the IP address(es) that was categorized as High risk connections in the Suspicious Connects Analyst View. Click on the IP address that you are interested and want to include as part of the Story Board module. Click Search button after selection.

  • The next code section will generate: Inbound, Outbound, and 2Way Connections based on the flow information that resides in the cluster. The geospatial_info is the information extracted from geolocalization’s database. The add_network_context is the Network context information previously uploaded.

  • After performing the search for a single IP address, the quantity of different connections from that IP address will be displayed and the Top 50 connections (per bytes transfer)

  • In addition, a list of the top 50 connections per number of connections that the external IP address established will be presented.

  • Threat Summary section. This code section allows the analyst to enter a Title & Description of the kind of attack/behavior described by the particular IP address that is under investigation. Click on the Save button after entering the data to write it into a CSV file, that eventually will be used in the Storyboard Analyst View.

  • The following section will generate CSV files / context information that populates the Story Board Analyst View

Home

  • Home
  • [Overview of Open Network Insight](Overview of Open Network Insight)
    • [Technical Overview](Technical Overview)
  • [Planning Guide](Planning Guide)
    • [Deployment Option 1: Pure Hadoop](Pure Hadoop)
    • [Deployment Option 2: Hybrid Hadoop / Virtual](Hybrid Hadoop)
  • [Deployment Guide](Deployment Guide)
  • [Installation & Configuration Guides](Installation & Configuration Guides)
  • [User Guide](User Guide)
    • Flows
      • [Suspicious Connects – Analyst View](Suspicious Connects)
      • [Threat Investigation – Analyst View](Threat Investigation)
      • Storyboard
      • [Ingest Summary – Analyst View](Ingest Summary)
    • DNS
      • [Suspicious DNS – Analyst View](Suspicious DNS)
      • [Threat Investigation – Analyst View](DNS Threat Investigation)
      • [Storyboard](DNS Storyboard)
    • Proxy
      • [Suspicious Proxy - Analyst View](Suspicious Proxy)
      • [Threat Investigation - Analyst View](Proxy Threat Investigation)
      • [Storyboard](Proxy Storyboard)
  • ONI Demo
Clone this wiki locally