Stamus-Networks-Blog

Feature Spotlight: Host Insight Transformation with IDS Alert Metadata

Written by Cédric Le Roux | Jan 26, 2022 2:07:17 PM

In the previous article of the “Feature Spotlight” series, we discussed how to pivot from IDS alert metadata to signature content.

Today, we will be covering some Host Insight magic. Fasten your seat belt, log in to the Stamus Security Platform, and get ready to uncover new insights from your environment :-)

Note: this content applies exclusively to Stamus Security Platform - at the Stamus NDR license tier.

Host Insight Transformation with IDS Alert Metadata

One of the capabilities our customers tell us they love is our Host Insights which is unique in the intrusion detection system (IDS) and network detection and response (NDR) markets. In a nutshell, Stamus Security Platform tracks every host observed on the network in real time. This gives the user a rapid understanding of what HTTP User-Agents, TLS agents, user logins and so on, have been observed on each and every host.



As this blog series is hands-on oriented, let's reuse our example from the first blog with our HTTP User-Agent pattern of Mozilla/4. 

Set this pattern using the alert metadata field matching capability (not an ES Filter), because the feature I am going to describe isn't compatible with ES Filters as of U37. Refer to the previous blog for guidance on how to set this as an Active Filter if necessary.

With the filter in place, go to the Hosts page.

In this example, we have 3 hosts identified that match our HTTP User-Agent filter. If we open and look at the specifics of the hosts 10.7.5.*, we will indeed see "Mozilla/4.0 …." listed as HTTP User-Agent strings. However, if we look at the first one (redacted on the screenshot), we don't see any User-Agent. Weird? A Bug? Nope, that's logical.

If you remember the previous blog, I wrote that active filters are used to search alert metadata, and here, we are looking at hosts. 

What we are actually doing here is searching all alert metadata. And from those having the "Mozilla/4" pattern in the HTTP User-Agent string, we view the associated hosts (of those alerts). 

Any IDS alert has 2 primary stakeholders, a source and a destination. So, here we are listing all hosts, regardless of whether they were the source or the destination of the alerts, from which our pattern has been found.

Hold on a minute! I thought the Host Insights feature was tracking all hosts on the network regardless of whether they emitted alerts? And here you are telling me that only hosts associated with alerts are displayed?

Yes, that's absolutely correct.

A host making an access to any website, without triggering an alert, will not be displayed with this filter. However, Stamus Security Platform captures network security monitoring (NSM) data (including flow records and protocol transactions) and keeps track of all hosts observed. 

To see any hosts in our environment having presented a "Mozilla/4" User-Agent, we have to toggle our active filter from an alert search into a Host Insights search. To do that, we simply click on the Host Insights "switcher" in the label of the filter (icon in between the pencil and the cross).

Once clicked, the filter will mutate to start with host_id, indicating that the filter is applied on Host Insights.

As a result, you will probably see different results and this makes sense as this filter lists all hosts having used a HTTP User-Agent matching our "Mozilla/4" pattern, but not necessarily having raised IDS alerts. 

Similarly, some hosts may have disappeared because they were displayed as being associated with alerts, for example as a destination (while the User-Agent is used/advertised by the source).

Finally, if we go back to the Dashboard page, or the Alerts page, with this host_id filter, we will be seeing all alerts from all hosts having used this HTTP User-Agent. That's pretty powerful in terms of a pivot, isn't it?

If we toggle again the Host Insights switcher to get back to the original filter http.http_user_agent: *Mozilla/4* , still on the Dashboard or Alerts pages, we will now be seeing all alerts having involved this HTTP User-Agent.

Finally, thanks to Malware Traffic Analysis from which we gleaned a PCAP to illustrate this blog.

Happy hunting! We’ll see you in the next article!

Bonus: here is a list of fields that can be toggled from alert metadata search to Host Insights search (as of U37):

  • IP addresses (src_ip, dest_ip, ip)
  • HTTP User-Agents (http.http_user_agent)
  • TLS JA3 Hashes (tls.ja3.hash, tls.ja3.agent)
  • TLS Certificates (tls.fingerprint, tls.issuerdn, tls.subject)
  • SSH version (ssh.server.proto_version, ssh.client.software_version)
  • Protocol (app_proto, proto)
  • Port number (src_port, dest_port, port)