cancel
Showing results for 
Search instead for 
Did you mean: 
gthbvf
Level 7
Report Inappropriate Content
Message 1 of 7

Watchlist bad sites

Hi,

We gets list of  list of  bad sites  list from provider.

I have created dynamic watchlist which pulls  URL list from provider.

I am looking for clue on how to setup view , using URL watch list which should show number of hits (if any) to bad site

per time range configured.

For test URL ,I'm able to see test site when searched in URL on SIEM but 'view' is failing to show # of hits.

6 Replies
ddd671
Level 9
Report Inappropriate Content
Message 2 of 7

Re: Watchlist bad sites

Have you tried building a custom view with a table element.  For the table select event query, then count.  On the filters page, simply filter it for the signature ID of the event you want to see. 

gthbvf
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Watchlist bad sites

Thanks for response. .Simply filtering signature ID  to show hit count gives count of all sites  (good and bad site).

We want to see hit count only for URL which are in 'bad_url_list' watchlist.

ddd671
Level 9
Report Inappropriate Content
Message 4 of 7

Re: Watchlist bad sites

Sure, I get it now.  If you have an ACE (or one of the VM correlation engines) you can write a correlation rule where signature ID = something && URL in bad_url watchlist.  Set it to trigger on a single positive hit.  Then run your custom view against the correlation's signature ID with a count element.

Re: Watchlist bad sites

You will need to ensure the data is parsed to an indexed field for the URL, then setup a view for the bar graph, and (field summary) where field is the field you are parsing the data to. That will give you a count of events by field summary. URL by default is not an indexed field, and in order to make it work, you will need to modify the parser to parse the data into another field you create that is not using a custom field already in use, and then use your view to do a summary by the field you created.

It is not an easy task, and probably will take 2-3 hours to do, but the reward is worth it.

Re: Watchlist bad sites

iLivid

Malvida.com

Megaupload.com

Megaupl0ad.com

1mobiletop.com

vgrabber.ourtoolbar.com

begin-download.com

downloadwizard.com

safedownload.com

safedownload.org

securedownload.com

securedownload01.com

eHacksandCheats.com

Aartemis.com

Ad-emea.doubleclick.net

Ad.directrev.com

22find.com

Adm.soft365.com

Adware.LyriXeeker

205acbc0.any.gs

Conduit Search

These are ALL virus/scam sites

protah
Level 7
Report Inappropriate Content
Message 7 of 7

Re: Watchlist bad sites

gthbvf,

"For test URL ,I'm able to see test site when searched in URL on SIEM but 'view' is failing to show # of hits."



Go to your Dashboard and do the following:

Select  'Edit Dashboard/View' --> Highlight "Events Module" --> Select 'Edit' --> Add "Event Count"

Hope that helps.. you should just need to add the event count as one of the fields displayed in your events module of the dashboard.

R/

Jacob