Limit intruder dwell time with rapid context gathering
Description
In this use case, a hypothetical attacker used an exploit against our machine in the local network, which triggered an alert from an external security service. The attacker takes control over the machine in the local network and leaks information out.
Our external service does not provide additional details about the threat. We will use this Flow to combine the external service data and the data extracted by Devo (interactions between attacker and victim) to check if there's any data flow from the victim to the attacker. If Flow observes an interaction, it will send an email to notify you of the intrusion, and it will provide you with the query to rapidly investigate and mitigate the threat.
In this example, we are mixing alert data from an external IDS service injected into Devo with firewall data. The IDS alerts include data related to intrusions to our machine. They include the attacker source IPs and the victim destination IPs. We will compare this data with the information retrieved by our firewall to check if the victim machine is sending data to the attacker's IP address in order to check if there's data leaking.
Flow configuration
The configuration of this use case is divided into 3 different parts:
Result
Once you have defined the whole Flow and saved it, click the Start button to activate it. If everything is correctly configured, the Flow will send an email to the given addresses every time an inactivity period is detected.
Import this Flow
Download this Flow in JSON format and import it to your domain clicking the Import from JSON option in the File menu. If the JSON object opens on a new browser window automatically, copy all the content, paste it into your notepad and save it in .txt or .json format.