We have just finished a job for an MSSP who had a large number of use cases for us to review, fix and implement.
At the outset, it was quite obvious that the SOC team were struggling with some alerts, namely these are the usual ones involving users & proxies, and firewalls.
As there was so much work to do in so little time, we couldn't build this particular use case for them - we also felt that they were not mature enough to understand and maintain this sort of use case. BUT - we did conduct a number of sessions to describe how this works, and they were very interested to see how they could save time and also increase their level of visibility!
Below is a flow diagram of how to gather your own threat intel, native to your own network, save time and money, and bring a new level of protective monitoring.
In Splunk, tstats & Alert Actions play a huge role here, as do lookups using CSV/KVStore (your choice!).
To take this sort of use case to another level, you would obtain the DNS PTR records for the offending IP's and perform an even deeper scan of your traffic on the DNS & Proxy layers.
This use case certainly can catch a successful LOG4J exploit (or similar) where the attacker calls back to the source.
Are you interested in effective alerts with a true meaning? Contact Us.