Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version 10

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

...

Purpose

This use case allows you to visualize Windows Activity Activeboard using synthetic sample data and it is composed of one injector to simulate the attack activity generated by windows machines and one receptor to monitor it.

Launch Windows Activity Activeboard

To launch the Use Case go to Exchange in the navigation pane. Look for the Use Case and click Launch to install the injector and the receptor. Once they are installed, an Open button will display. Click Open to see the alert showing detections.

...

Info

Stop use case

You can always stop the injection by clicking on the Stop use case button.

Exploring the Use Case

This Use Case shows a complete DoS attack. It is composed of one injector, which will inject synthetic data of windows logs and then install the Windows Activity Activeboard - if you don’t have it installed in your domain -.

...

Content

...

Name

...

Type

...

Injector

...

Injection for Windows Activity AB

...

Synthetic data

...

Receptor

...

Windows Activity Monitoring

...

.

Name

Type

Content

Injection for Windows Activity AB

Injector: Synthetic data

Windows events prepared to simulate activity generated by windows machines. The injection is continuous (starts over after injecting the last event).

Windows Activity Monitoring

Receptor: Activeboard

Widgets prepared to analyze and visualize windows activity patterns graphically.

Open use case

Receptor: once the use case has been launched, you can use the Open button at the top right of the card in Exchange to access the receptor, where you can carry out certain actions depending on the type of item the receptor is. You can also access the receptor in question via the Navigation pane.

Injector: if you want to open the injector to check the data it contains, you can click on its name in the Included contents section to access its card and then click the Open button at the top right of the card. You can also access the data table using finders or LINQ via the Navigation pane (Data Search area → Explore your data tab).

...

Work with use case

Receptor: after launching the use case, you can use the receptor for the intended purpose, which can be an Activeboard to visualize and analyze data graphically, an alert with conditions to find anomalous events, or an application to further operate with the data.

Injector: you can also use the synthetic data in contexts other than the intended one or event manipulate the data in the search window.