1 Reply Latest reply on Jun 16, 2016 7:55 AM by 3no

    New Host Detection

    james75

      Good Afternoon,

       

      I am trying to identify new hosts detected on a month by month basis.

       

      I ahve reviewed the content packs but there only seems to be Windows Authentication  for new users created.

       

      Does anyone have any ideas how to establish a difference between Internal IP addresses on a month by month basis?

       

      I have tried with no luck to filter on Windows event 4741 - New account created.

       

      The only way i can think of doing it is exporting page by page a list of source IP addresses, combining them and then doing the same for the previous month.... This is a very long method.

       

      Any thoughts would be greatly appeciated

        • 1. Re: New Host Detection
          3no

          Hi James,

           

          You can create a static watchlist with all your internal IP adresses, and a second one empty called "New Host".

          Then you create an alert, with this statement,

               - if you see an IP  that is not in the watchlist "Internal IP adresses", then add the source ip on the watchlist "New Host".


          Take a look on this document, if you don't know to configure a watchlist or alarms, you'll find almost the same configuration in it. 

          SIEM Use Case: Tracking Malware


          Good luck,