1 Reply Latest reply on Jun 16, 2016 7:55 AM by 3no

    New Host Detection


      Good Afternoon,


      I am trying to identify new hosts detected on a month by month basis.


      I ahve reviewed the content packs but there only seems to be Windows Authentication  for new users created.


      Does anyone have any ideas how to establish a difference between Internal IP addresses on a month by month basis?


      I have tried with no luck to filter on Windows event 4741 - New account created.


      The only way i can think of doing it is exporting page by page a list of source IP addresses, combining them and then doing the same for the previous month.... This is a very long method.


      Any thoughts would be greatly appeciated

        • 1. Re: New Host Detection

          Hi James,


          You can create a static watchlist with all your internal IP adresses, and a second one empty called "New Host".

          Then you create an alert, with this statement,

               - if you see an IP  that is not in the watchlist "Internal IP adresses", then add the source ip on the watchlist "New Host".

          Take a look on this document, if you don't know to configure a watchlist or alarms, you'll find almost the same configuration in it. 

          SIEM Use Case: Tracking Malware

          Good luck,