Threatlist Trending

by David Schwalenberg
November 6, 2013

The LCE evaluates network connections to see if they originate from or are connections to IP addresses with a known hostile reputation, such as being part of a botnet. The LCE normalizes these events under the “threatlist” event type, and gives them names that indicate the general direction and port used by the connection. For example, the name Outbound_HTTPS_Threatlist_Connection corresponds to an internal system making a connection on port 443 to a known botnet or hostile IP address. Systems that make outbound connections to threatlisted IP addresses may be part of a command and control botnet. Inbound connections from threatlisted addresses could indicate probing.

This dashboard presents events from the “threatlist” event type over a 7-day period and displays the top IP addresses and ports associated with this network activity. In addition, a 1-day trend of outbound and inbound activity is presented.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets.

The dashboard requirements are:

  • SecurityCenter 4.7
  • LCE 4.2.1

Listed below are the included components:

Threatlist Trending - 7 Day / Events Involving IPs on Known Threatlist (Pie Chart)
This component displays a pie chart of the top 8 events from the “threatlist” event type that have the highest 7-day aggregate counts.

Threatlist Trending - 7 Day / Events Involving IPs on Known Threatlist
This component displays the top 8 events from the “threatlist” event type that have the highest 7-day aggregate counts.

Threatlist Trending - 1 Day / Outbound and Inbound Events Involving IPs on Known Threatlist
This component displays line graphs of outbound and inbound events from the “threatlist” event type over the last 24 hours. An event is classified as outbound if the LCE has given it a normalized name that contains the string “Outbound”; an event is classified as inbound if the LCE has given it a normalized name that contains the string “Inbound”.

Threatlist Trending - 7 Day / Top IPs Interacting with IPs on Known Threatlist
This component displays a bar chart of the top 10 IP addresses associated with events from the “threatlist” event type that have the highest 7-day aggregate counts. Additional filtering might be done so that only data associated with specific IP addresses is displayed.

Threatlist Trending - 7 Day / Top Ports with Outbound Events Involving IPs on Known Threatlist
This component displays a bar chart of the top 10 ports associated with outbound events from the “threatlist” event type that have the highest 7-day aggregate counts. An event is classified as outbound if the LCE has given it a normalized name that contains the string “Outbound”.

Threatlist Trending - 7 Day / Top Ports with Inbound Events Involving IPs on Known Threatlist
This component displays a bar chart of the top 10 ports associated with inbound events from the “threatlist” event type that have the highest 7-day aggregate counts. An event is classified as inbound if the LCE has given it a normalized name that contains the string “Inbound”.