Detecting Network Spikes Identified by WAF for the Elastic Stack Platform

Alex Verbniak
Latest posts by Alex Verbniak (see all)
WRITTEN BY
Alex Verbniak
[post-views]
September 11, 2023 Ā· 2 min read

There are a lot of interesting cases that you can find while investigating anomalies in the traffic baselines, for example, in FTP, SSH, or HTTPS. This guide describes how to use the “Imperva WAF – Kibana Dashboard, Watchers and Machine Learning for ELK Stack” Content Pack to detect abnormal spikes of attacks identified by WAF from a single IP to a single web application.

Downloading Content Pack for Detecting Network Spikes for the Elastic Stack 

    1. Log in to the SOC Prime Platform with your work-associated account.
    2. Go to Threat Detection Marketplace > Get Started.
    3. Select Search from the navigation panel.
    4. In the Content Search field, type ā€œimperva wafā€.Download "Imperva WAF - for ELK Stack" Content Pack
    5. Click the ā€œImperva WAF – Kibana Dashboard, Watchers and Machine Learning for ELK Stack Content Packā€ to open the content item page.
    6. Check the Dependencies and Log Source Requirements sections to see if your system meets the requirements for the content deployment.
    7. Click the Download button.
Download "Imperva WAF - for ELK Stack" Content Pack

Note: Detection content availability depends on your current SOC Prime subscription tier. Learn more at https://my.socprime.com/pricing/

Deploying Content into Your Kibana Instance 

Log in to your Kibana and import content using the following steps:

  1. Create a new ML (Machine Learning) job by clicking the Create new job button in the upper right-hand corner of the page.

    Create a new job in Kibana

  2. Select the required index pattern or a saved search Imperva WAF logs.

    Select the required index pattern or a saved search Imperva WAF logs.

  3. Select the Advanced tile from the list of wizards to create an advanced job.
    Select the Advanced tile from the list of wizards to create an advanced job.

  4. In the Edit JSON tab, paste the JSON configuration of the downloaded ML Job.In the Edit JSON tab, paste the JSON configuration of the downloaded ML Job
  5. Click the Next button to pass validation.Create an advanced job in Kibana
    Note: In case you have a different field template, please make the corresponding changes in the JSON code.
  6. After successful validation, save the changes to complete the job creation by clicking the Start button. Here, you can specify the time frame or set the job to Real-time searchSpecify the time frame or set the job to Real-time search.
  7. As a result, you will get the visualization of network spikes or abnormal SSH traffic activity that needs investigation.
    Get visualization of network spikes or abnormal SSH traffic activity

Have any questions? Reach out to us via the SOC Prime Platform chat or get in touch with us on Discord.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

UAC-0133 (Sandworm) Reemerges
Blog, Latest Threats ā€” 5 min read
UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine
Veronika Telychko
UAC-0149
Blog, Latest Threats ā€” 3 min read
UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware
Daryna Olyniychuk
Akira Ransomware Detection
Blog, Latest Threats ā€” 4 min read
Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia
Veronika Telychko