vuln, IPS and malware found on specific sources
Finding hosts with vulnerabilities (detected by scanning), IDS attacks (snort) and outstanding AV (Sophos AV) issues.
first, search all available vulerabilities
second, from the first list, search target IP's that also have an entry in the snort findings.
third, take the outcome from above searches and check which target IP's have a matching part within the malware data.
finaly recalculate the adjusted priority of the findings accordingly.
The outcome of this search are hosts, that have been found vulnerable during a vulnscan AND trying to communicate to a C&C (or similar host) AND have been identified by the AV tool to have had an issue.
sourcetype=whatever displayname="*" internal=1 signature="*" vuln_type!="Info" | fillnull | dedup host_id,qid | dedup keepempty=T netbios,qid |
join type=left dest_ip [search sourcetype=snort| dedup dest_ip | fields dest_ip | eval ips="true"] | eval adjusted_priority=if(isnotnull(ips),adjusted_priority*10, adjusted_priority ) |
join type=left dest_ip [search sourcetype=malware ActionTaken="Blocked" | search NOT [search sourcetype=sophos:threats (ActionTaken="Clea*" OR ActionTaken="Acknowledged" OR ActionTaken="unknown" OR ThreatName="EICAR-AV-Test") | fields ComputerIPAdress] | fields ComputerIPAddress | rename ComputerIPAddress as dest_ip| eval malware=”true”] |
eval adjusted_priority=if(isnotnull(malware),adjusted_priority*20, adjusted_priority ) | fields dest_ip, FullFilePath | sort - adjusted_priority | dedup dest_ip | table adjusted_priority, dest_ip, dest_owner, ips, malware