Detecting Network Spikes Identified by WAF for the Elastic Stack Platform

[post-views]
September 11, 2023 · 2 min read
Detecting Network Spikes Identified by WAF for the Elastic Stack Platform

There are a lot of interesting cases that you can find while investigating anomalies in the traffic baselines, for example, in FTP, SSH, or HTTPS. This guide describes how to use the “Imperva WAF – Kibana Dashboard, Watchers and Machine Learning for ELK Stack” Content Pack to detect abnormal spikes of attacks identified by WAF from a single IP to a single web application.

Downloading Content Pack for Detecting Network Spikes for the Elastic Stack 

    1. Log in to the SOC Prime Platform with your work-associated account.
    2. Go to Threat Detection Marketplace > Get Started.
    3. Select Search from the navigation panel.
    4. In the Content Search field, type “imperva waf”.Download "Imperva WAF - for ELK Stack" Content Pack
    5. Click the “Imperva WAF – Kibana Dashboard, Watchers and Machine Learning for ELK Stack Content Pack” to open the content item page.
    6. Check the Dependencies and Log Source Requirements sections to see if your system meets the requirements for the content deployment.
    7. Click the Download button.
Download "Imperva WAF - for ELK Stack" Content Pack

Note: Detection content availability depends on your current SOC Prime subscription tier. Learn more at https://my.socprime.com/pricing/

Deploying Content into Your Kibana Instance 

Log in to your Kibana and import content using the following steps:

  1. Create a new ML (Machine Learning) job by clicking the Create new job button in the upper right-hand corner of the page.

    Create a new job in Kibana

  2. Select the required index pattern or a saved search Imperva WAF logs.

    Select the required index pattern or a saved search Imperva WAF logs.

  3. Select the Advanced tile from the list of wizards to create an advanced job.
    Select the Advanced tile from the list of wizards to create an advanced job.

  4. In the Edit JSON tab, paste the JSON configuration of the downloaded ML Job.In the Edit JSON tab, paste the JSON configuration of the downloaded ML Job
  5. Click the Next button to pass validation.Create an advanced job in Kibana
    Note: In case you have a different field template, please make the corresponding changes in the JSON code.
  6. After successful validation, save the changes to complete the job creation by clicking the Start button. Here, you can specify the time frame or set the job to Real-time searchSpecify the time frame or set the job to Real-time search.
  7. As a result, you will get the visualization of network spikes or abnormal SSH traffic activity that needs investigation.
    Get visualization of network spikes or abnormal SSH traffic activity

Have any questions? Reach out to us via the SOC Prime Platform chat or get in touch with us on Discord.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts