Scribd
Upload
395 views8 pages

Stellar Cyber Anomaly Observations

The document provides a summary of cyber observations and feedback from Stellar Cyber. It includes two sections on anomalies detected: 1) a long app session anomaly involving TCP traffic on port 5938 from an internal host to an external IP, and 2) an exclusion filter to remove external port scan alerts involving ICMP traffic not originating from private IP blocks. It also provides a summary of alerts on December 10th involving possible phishing, network traffic anomalies, uncommon processes, and application usage.

Uploaded by

Dark Storm Wolf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
395 views8 pages

Stellar Cyber Anomaly Observations

The document provides a summary of cyber observations and feedback from Stellar Cyber. It includes two sections on anomalies detected: 1) a long app session anomaly involving TCP traffic on port 5938 from an internal host to an external IP, and 2) an exclusion filter to remove external port scan alerts involving ICMP traffic not originating from private IP blocks. It also provides a summary of alerts on December 10th involving possible phishing, network traffic anomalies, uncommon processes, and application usage.

Uploaded by

Dark Storm Wolf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

STELLAR CYBER OBSERVATIONS

STELLAR CYBER OBSERVATONS AND FEEDBACK

Table of Contents
Type chapter title (level 1).........................................................................................................1
Type chapter title (level 2)...............................................................................................................2
Type chapter title (level 3) 3
Type chapter title (level 1).........................................................................................................4
Type chapter title (level 2)...............................................................................................................5
Type chapter title (level 3) 6

1 Long App Session Anomaly Source Locations

TRUSTED INTERNET LLC 1


STELLAR CYBER OBSERVATONS AND FEEDBACK

Unable to find the sensor details and session details and any traffic log related to source IP address to the in FAZ

JSON Details
{
"actual": 95430360,
"aella_tuples": "[Link].[Link].5938.4",
"anomaly_id": "QGdr6IQBWk3UEfdB9tx4",
"anomaly_tag": "spike",
"appid": 4,
"appid_family": "Standard",
"appid_name": "tcp5938",
"appid_stdport": "yes",
"detected_field": "appid_name",
"detected_value": "tcp5938",
"dscp_name": "Best Effort",
"dstip": "[Link]",
"dstip_geo": {
"city": "Los Angeles",
"countryCode": "US",
"countryName": "United States",
"latitude": 34.0544,
"longitude": -118.2441,
"region": "California"
},
"dstip_geo_point": "34.0544,-118.2441",
"dstip_host": "[Link]",
"dstip_reputation": "Good",
"dstip_type": "public",
"dstip_version": "ipv4",
"dstmac": "[Link]",
"dstport": 5938,
"duration": 109,
"end_bucket_time": 1670346900000,
"end_reason": 13,
"engid": "ad6100900ba995c9",
"engid_gateway": "[Link]",
"engid_name": "TrustedInternet",
"event_category": "network",
"event_name": "long_session_anomaly",
"event_score": 13,
"event_source": "new_ml",
"event_status": "New",
"event_type": "conn",
"fidelity": 2.9947921320390147,
"flow_score": 90,
"inbytes_delta": 60,
"inbytes_total": 60,
"inpkts_delta": 1,
"lateral": false,
"locid": "unassigned location",
"msg_class": "interflow_traffic",
"msg_origin": {
"source": "sensor"
},
"msgtype": 4,
"msgtype_name": "startend",
"netid": 0,
"netid_name": "vlan0",
"obsid": 167837751,
"orig_id": "QGdr6IQBWk3UEfdB9tx4",

TRUSTED INTERNET LLC 2


STELLAR CYBER OBSERVATONS AND FEEDBACK

"orig_index": "aella-adr-1670198428642-",
"outbytes_delta": 156,
"outbytes_total": 156,
"outpkts_delta": 2,
"port_name": "ethernet5",
"processing_time": 0,
"proto": 6,
"proto_name": "tcp",
"receive_time": 1670346693916,
"response_time": 0,
"severity": 30,
"src_tuples": "[Link].[Link].94",
"srcip": "[Link]",
"srcip_assetid": "27ce9ee0-43f3-11ed-995c-a642c96a498d",
"srcip_geo": {
"city": "Providence",
"countryCode": "US",
"countryName": "United States",
"latitude": 41.7816,
"longitude": -71.3897,
"region": "Rhode Island"
},
"srcip_geo_point": "41.7816,-71.3897",
"srcip_host": "[Link]",
"srcip_reputation": "Good",
"srcip_type": "private",
"srcip_username": "mkrone",
"srcip_usersid": "S-1-5-21-2001604708-270891922-367356602-21757",
"srcip_version": "ipv4",
"srcmac": "[Link]",
"srcport": 59430,
"start_bucket_time": 1670346600000,
"state": "Aborted",
"stellar": {
"alert_time": 1670347201317
},
"stellar_da_input": 636,
"stellar_index_id": "aella-adr-2022.12.06-f09131f60607458f979cbd549df8c508",
"stellar_uuid": "1fb1e725-250e-4086-bbad-dc22c5623b8b1670346693916",
"tcp_rtt": 0,
"tenant_name": "Violet Templar",
"tenantid": "f09131f60607458f979cbd549df8c508",
"threat_score": 0,
"timestamp": 1670346688958,
"tos": 0,
"totalbytes": 216,
"totalpackets": 3,
"typical": 42353,
"vlan": 0,
"write_by": "sef",
"write_time": 1670347226620,
"xdr_event": {
"description": "The application tcp5938 has an anomalously long session (#: 1.10 days), compared to the typical
session length (#: 42.35 seconds) of itself or its peers, measured in a 5-minute interval.",
"display_name": "Long App Session Anomaly",
"framework_version": "v8",
"name": "long_session_anomaly",
"scope": "External",
"tactic": {
"id": "XTA0002",
"name": "XDR NBA"
},
"tags": [
"External",
"Network Traffic Analysis"
],
"technique": {
"id": "XT2005",
"name": "XDR Session Anomaly"
},

TRUSTED INTERNET LLC 3


STELLAR CYBER OBSERVATONS AND FEEDBACK

"xdr_killchain_stage": "Initial Attempts",


"xdr_killchain_version": "v1"
},
"_index": "aella-ser-1668384131840-",
"_id": "167034722662082344e114e23cfd4d519d9398cbffe85dfa",
"_type": "amsg"
}

2 External IP/Port Scan Anomaly


Exclusion FJ-External IP and Port Scan Anomaly
Name
Exclusion Filter out all the ICMP denied events from external addresses
Description
Exclusion [{"field":"xdr_event.name","op":"==","type":"string","val":"external_port_scan

TRUSTED INTERNET LLC 4


STELLAR CYBER OBSERVATONS AND FEEDBACK

Conditions "},{"field":"srcip","op":"does not match","type":"ip","val":"[Link]/8"},


{"field":"srcip","op":"does not match","type":"ip","val":"[Link]/12"},
{"field":"srcip","op":"does not match","type":"ip","val":"[Link]/16"},
{"field":"proto","op":"==","type":"number","val":1},
{"field":"msg_data.name","op":"contains","type":"string","val":"deny"}]
Exclusion
Snapshot

Exclusion 10th December, 2022


Added
Alert Approval Testing
Status
[Testing |
Approved]
Alert Approval
Date
Alert Final
Status

User Login Location Anomaly


3 – legitimate users[amelendez, Jhongmanivanh and mconstantino]

TRUSTED INTERNET LLC 5


STELLAR CYBER OBSERVATONS AND FEEDBACK

10th December- 2022


 Possible Phishing Site Visit from Email [10] - Internal host [[Link]] reaching out to an internal domain [eqn-
[Link]]
 Outbytes Anomaly [8]- Meraki Addresses [[Link], [Link]], Nutanix Addresses [[Link] and
[Link]], CloudFlare address [[Link]] and Amazon Address[[Link]]
 Uncommon Process Anomaly[7]- Chrome Installer,Edge,MSPaint,AM Delta Patch[Microsoft Antimalware WU Stub]
 CylancePROTECT:Process Injection[6]- Detected on 6 Hosts
 External Non-Standard Port Anomaly[6] - Turn, Oracle, Signal, XBOX [Legitimate Applications - A list of Whitelisted
applications shall be requested in order to filter out the FPs.]

TRUSTED INTERNET LLC 6


STELLAR CYBER OBSERVATONS AND FEEDBACK

 Long App Session Anomaly [4]-Outbound Jabber Traffic, Web Traffic towards Amazon address and Teamviewer Traffic.
[Legitimate Applications - A list of Whitelisted applications shall be requested in order to filter out the FPs].
 Application Usage Anomaly [3] - Google, O365 and Bing [Legitimate Applications - A list of Whitelisted applications shall
be requested in order to filter out the FPs].

TRUSTED INTERNET LLC 7

You might also like