6 Replies Latest reply on Jan 29, 2015 7:45 PM by protah

    Watchlist bad sites

    gthbvf

      Hi,

       

      We gets list of  list of  bad sites  list from provider.

      I have created dynamic watchlist which pulls  URL list from provider.

       

      I am looking for clue on how to setup view , using URL watch list which should show number of hits (if any) to bad site

      per time range configured.

      For test URL ,I'm able to see test site when searched in URL on SIEM but 'view' is failing to show # of hits.

        • 1. Re: Watchlist bad sites
          ddd671

          Have you tried building a custom view with a table element.  For the table select event query, then count.  On the filters page, simply filter it for the signature ID of the event you want to see. 

          • 2. Re: Watchlist bad sites
            gthbvf

            Thanks for response. .Simply filtering signature ID  to show hit count gives count of all sites  (good and bad site).

             

            We want to see hit count only for URL which are in 'bad_url_list' watchlist.

            • 3. Re: Watchlist bad sites
              ddd671

              Sure, I get it now.  If you have an ACE (or one of the VM correlation engines) you can write a correlation rule where signature ID = something && URL in bad_url watchlist.  Set it to trigger on a single positive hit.  Then run your custom view against the correlation's signature ID with a count element.

              • 4. Re: Watchlist bad sites
                budderheadabc(jlkfreeman)

                iLivid

                Malvida.com

                Megaupload.com

                Megaupl0ad.com

                1mobiletop.com

                vgrabber.ourtoolbar.com

                begin-download.com

                downloadwizard.com

                safedownload.com

                safedownload.org

                securedownload.com

                securedownload01.com

                eHacksandCheats.com

                Aartemis.com

                Ad-emea.doubleclick.net

                Ad.directrev.com

                22find.com

                Adm.soft365.com

                Adware.LyriXeeker

                205acbc0.any.gs

                Conduit Search

                These are ALL virus/scam sites

                • 5. Re: Watchlist bad sites
                  ryan.fitzpatrick

                  You will need to ensure the data is parsed to an indexed field for the URL, then setup a view for the bar graph, and (field summary) where field is the field you are parsing the data to. That will give you a count of events by field summary. URL by default is not an indexed field, and in order to make it work, you will need to modify the parser to parse the data into another field you create that is not using a custom field already in use, and then use your view to do a summary by the field you created.

                   

                  It is not an easy task, and probably will take 2-3 hours to do, but the reward is worth it.

                  • 6. Re: Watchlist bad sites
                    protah

                    gthbvf,

                    "For test URL ,I'm able to see test site when searched in URL on SIEM but 'view' is failing to show # of hits."



                    Go to your Dashboard and do the following:

                    Select  'Edit Dashboard/View' --> Highlight "Events Module" --> Select 'Edit' --> Add "Event Count"

                     

                    Hope that helps.. you should just need to add the event count as one of the fields displayed in your events module of the dashboard.

                     

                    R/

                    Jacob