Warning: You are viewing an older version of this documentation. Most recent is here: 40.0.1

Table of Contents

• Concepts
  • Approaching Threat Hunting
    • Building your Cyber Defense with SCS
    • Context Understanding
    • Active Hunting
    • Serious & Imminent Threats
    • Policies Overview
    • Use Cases
    • Creating a Policy
    • Exporting/Importing a Policy and Filtersets
    • Policy Actions
      • Suppress
      • Threshold
      • Tag
      • Tag & Keep
      • Email
      • Create a STR Event
      • Summary
    • Best Practices
      • Loose filters
      • Reverse the logic of a threat to implement a filter
  • Declaration of Compromise
    • Detection Engines
    • Indicators of Compromise (IoC)
    • Declaration of Compromise (DoC)
  • Detection and Event Enrichment Flow
  • The Most Powerful Capabilities
    • Combining the Best of Capabilities
      • Intrusion Detection Systems
      • Network Security Monitoring Systems
      • Network Detection and Response Systems
      • Stamus Security Platform
• Stamus Security Platform
  • Stamus Central Server
  • Stamus Networks Probe
  • Security Posture
    • Top Menu Bar Options
    • Operational Center
  • Compromises
    • Impacted Assets
    • Timeline
    • Coverage
  • Analytics
    • Beaconing
      • Beacon Metric
    • Sightings
      • Sightings and multiple probes
      • Training period
      • Buffer size
      • Detection and automation
    • Signatures
      • Variables
      • Stamus signatures
      • Proofpoint
      • Lateral
      • Lateral scan
      • Performance rulesest
    • Newly Registered Domains (NRD)
      • Detection and automation examples
    • Anatomy of a detection event
      • Application layer
      • Flow_id
      • Flow section
      • Metadata section (flowbits)
      • FQDN breakdown for HTTP, TLS and DNS
      • Tagging and Classification
      • SMTP Enrichment
      • Source and Target
      • Organisational Context
      • MAC address
      • FQDN additions
      • Discovery info
      • GeoIP
      • TLS Cipher analytics
      • TLS JA4
      • TLS ALPN
      • DCERPC function name mappings
      • Number of transactions in a flow
      • SSH hassh, client and server software
    • Additional resources
  • Hunting
    • Introduction
    • Top Menu Bar Options
      • Dashboard
      • Alerts
      • Signatures
      • Host Insights
      • Policy
      • To apply policies on probes
      • Suppress
      • Threshold
      • Tag
      • Tag and Keep
    • Understanding the search
      • Basic
      • Wildcard search
      • Host ID search
      • Convert Host ID from/to alert search
    • Keyboard shortcuts
      • Tag filtering
    • Hunting Examples
      • Search by name
      • Hunt by IP
      • Host intel triaging
      • Unusual useragents
      • Unusual domains
      • Flip the search
      • Find Alert events by Policy Actions
      • Host ID basic search techniques
  • Hunting Filters
    • Overview
    • Predefined Hunting Filter Sets
    • User Defined Filters
      • Adding Filter Criteria
    • IP Filter
      • Example 1
      • Example 2
      • Example 3
    • ES Filters
      • Under The Hood
      • Knowing the Fields to Use
      • Global Searches
    • Specific Filters
      • Signatures
      • Hosts
    • Creating Filter Sets
      • Creating Global Filter Sets
      • Creating Private Filter Sets
      • Loading Filter Sets
      • Exporting Filter Sets
      • Deleting Filter Sets
  • Kibana Dashboards
    • Export Kibana visualizations as CSV file
    • Export Kibana visualizations and dashbords from Stack Management
    • Edit Kibana visualizations
    • Create Kibana visualizations
  • Feature Request
    • Requesting a Feature
      • Describe the feature or change you would need
      • Describe how this change will help you
      • Describe how important it is to you
• Administration
  • Overview
    • Interface Overview
  • Authentication
    • Local Authentication
      • Add/Create User
      • Edit User
      • Change User Password
      • Change User Password From The Command Line
      • Delete User
      • User Permissions
    • Authentication (LDAP, local)
      • Active directory with local database fallback (LDAP)
      • Generic LDAP
      • LDAP authentication methods
      • Mapping LDAP groups
      • Common LDAP configuration options
      • LDAP Troubleshooting
    • Authentication using the SAML protocol
  • SCS settings
    • Use a proxy
    • Use elasticsearch
    • Use an external Elasticsearch server
    • Custom login page banner text
    • Automatic logout
  • Capture Settings
    • Change interface settings for a probe
    • Add Berkeley packet filter to adjust probes inspection
    • Add threads to an interface inspection on a probe
    • Network card load balancing
  • Network Security Monitoring Settings
    • Change NSM settings for a probe
    • Enable or disable protocols for a probe
    • Common settings for protocols
    • Add custom or extended HTTP information
    • Add custom or extended SMTP information
    • Add custom DNS information
    • Add packet data or payload to the alerts information
    • File handling capabilities
    • Enable or disable file extraction for a probe
    • Add Hahsum, file magic or mimetype information
    • Rule Activity for a probe
      • Review rules activity for a probe
  • Declarations of Compromise
    • Custom Declarations of Compromise
    • Editing a Custom Declaration of Compromise
    • DoC Suppression
      • Finding the sig_id
      • Find the Offender IP
  • Events Filtering
    • Filters
      • DNS events filter
      • Flow filters
        • TCP flow events min age filter
        • UDP flow events min age filter
        • Flow events min age filter
      • Enrichment options
        • Create FQDN like fields from network definitions
        • Add field with lateral movement information
        • Add some signature information in alerts
  • File Extraction
    • Concept
    • File Extraction Activation
    • How File Extraction Works
    • Getting Files from the REST-API
  • Conditional PCAP logging
    • Concept
    • Conditional PCAP Activation
    • How Conditional PCAP logging works
    • Rest API pcap file extraction automation
  • Global Configuration
    • HTTPS
    • Certificate authority
    • Log retention
    • Database status and health
    • Forwarding Events (output plugin)
    • Sending Emails
    • NTP
    • Stamus Probe Global Parameters
      • Change name of a probe
      • Change description of a probe
      • Change ruleset of a probe
      • Change management IP address of a probe
      • Edit inspection networks and ports for a probe
      • Rediscover system parameters
    • Expert configuration
      • Custom and expert configuration for a probe - YAML include
      • Custom suricata runtime flags
  • Network Definitions
    • Introduction
      • Load balancers and proxies
        • Option 1
        • Option 2
    • Managing Network Definitions
      • Create, Edit, Delete
      • Import, Export
      • Using Network Definition as HOME_NET
    • Assigning a Network Definition
      • Single Tenant (default)
      • Network Probe
      • Template
      • Multi-Tenancy
      • JSON Example
      • RestAPI
        • Bash Example
        • Python Example
        • Updating Network Definitions
    • Known Bug
  • Probe Registration
    • Registering a Stamus Network Probe
    • Register a Stamus Network Probe via SSL VPN
    • Enable VPN proxy on Network Probes
    • Finish registration of a Stamus Probe
    • Remove/delete a probe
  • Probe Templates
    • Using Templates
    • Override Settings
    • Template Inheritance
    • Delete Template
  • Stamus Loggers
    • Setting up Stamus Loggers
      • Enable External Elasticsearch Cluster
      • Setting up SCS
      • Register a Stamus Logger
      • Update the Probes
  • Run Your Own Defense (RYOD)
    • Introduction
    • Basic usage
      • RYOD management
      • RYOD commands
    • Container lifecycle
    • Backup
    • Disable RYOD
    • Log rotation RYOD
  • Sources & Rulesets
    • Overview
    • Definitions
      • Rule or Signature
      • Source
      • Ruleset
    • Sources
      • Common options to sources
      • Adding a Public source
      • Adding a Manual source
      • Updating a Source
    • Rulesets
      • Creating a Ruleset
      • Updating Rulesets
      • Exporting Rulesets
      • Scheduled Tasks
      • Editing a Ruleset
        • Edit Sources
        • Edit Categories
        • Add rule to disabled list
        • Remove rule from disabled list
      • Suricata Sensors
        • Setup
        • Updating Suricata Ruleset
    • Using Custom Rules
      • Initial Configuration
      • Rules File Update
      • Testing the Ruleset
    • Threat Intelligence Sources for Datasets
    • Suppression and Thresholding
      • Suppress Alerts per Rule
      • Remove Rule Suppression
      • Threshold Alerts
      • Pass on Sightings and Beaconing
    • Rule Transformations
      • Action Transformation
      • Lateral Movement
      • Target Keyword
    • Custom Suricata keywords
      • Mime_type keyword
      • Domain keyword
      • TLD keyword
    • Config keyword
    • Suricata keywords recommendations
      • IP Match
    • Suricata signature rule writing guidelines
      • Network variables
      • Flow direction and state
      • Sticky buffer
      • Update revision
      • Dashboards
      • Example
      • Further suggestions
        • engine-analysis
  • Splunk
    • Forwarding SCS logs to Splunk
      • General Procedure
      • Options
      • Enabling encryption with Splunk
    • Stamus App for Splunk
  • Suricata Sensors
    • Alerts Enrichment
    • Register a Suricata Sensor
      • Preparing a Suricata Sensor
      • Shipping logs from a Suricata Sensor
      • Adding a remote sensor for the first time
        • Step 1
        • Step 2
        • Step 3 (optional)
  • Threat Intelligence
    • Threats Update
      • Online SCS
      • Offline SCS
    • Homoglyph Attacks
      • What are Homoglyph Attacks?
      • Configuring Homoglyph Attacks Detection
    • IP Reputation List
      • IP list
      • Category Identifier
      • Create a detection rule
      • Package everything
      • Upload the tarball to Stamus Central Server
  • Webhooks
    • What are Webhooks?
    • Objects & Variables
    • Examples
      • Splunk
      • Service Now
      • Slack / Mattermost
      • TheHive
      • Discord
      • Special Cases
• Architectures
  • Single Tenant
  • Multiple Tenants
    • Multi Tenancy
      • What is Multi Tenancy?
      • Activating Multi Tenancy
      • Using Multi Tenancy
    • Chained SCS Tenancy
      • What is Chained Tenancy?
      • Activating Chained SCS Tenancy
        • Master SCS
        • Slave SCS
      • Disabling Multi Tenancy
  • Cloud Architectures
  • Deployment Guidelines
    • Traffic Capture Points
      • WAN
        • Front
        • Gateway
        • Back
        • Misc
      • LAN
        • DNS Traffic
    • Traffic Forwarding
      • Port Mirroring
      • Network TAP
      • Network Packet Broker
      • (ER)SPAN
      • Cloud providers
        • AWS
        • GCP
        • Azure
    • Requirements
      • Bidirectional
      • Tunneling
    • Configuration Recommendations
      • HOME_NET
      • Lateral Movement
    • Challenges
      • Noise
      • Drops
      • Missing packets
      • Load Balancing
      • Traffic
• Maintenance
  • Licensing
    • How Licensing Works
    • Stamus Licenses Comparison
    • Sales Trial License
    • Installing a license
      • Generate your SCS Unique ID
      • Install the license
  • Preparing the Installation
    • Obtaining the bits
    • Hardware Requirements
    • Virtual Machines
    • Firewall rules
    • Get your license
    • Network Definitions
  • Installing Stamus Central Server
    • Installing the Manager and the Network Probe
    • Installing the license
    • Registering a Network Probe
    • Management IP address
    • Adding public sources (optional)
    • Adding a Ruleset
    • Attach the Ruleset to the Network Probe
    • Update the ruleset
  • Stamus Network Appliances
    • Appliances Models
    • Stamus Central Server
      • SYS-STS500-000 (SCS)
    • Stamus Network Probes Appliances
      • SYS-STS100-000 (100Mbps)
      • SYS-STS200-000 (1Gbps)
      • SYS-STS300-000 (10Gbps)
      • SYS-STS400-000 (40Gbps)
    • Remote Access Controllers
      • IPMI
      • iDRAC
  • USB Installation
    • Prerequisites
    • Preparing the USB Stick
    • Installation
      • USB Stick Procedure
      • RAID-on-a-Chip Procedure (Fake RAID)
  • Backup & Restore
    • Backup
    • Restore
    • Migrating a Physical SCS to a Virtual Machine
      • Before Starting
      • Backuping the existing SCS
      • Installing a new Virtual Machine
  • Systems Upgrade
    • Procedure
    • Upgrade Path
      • Example 1
      • Example 2
  • Troubleshooting
    • Online Health Checks
    • Troubleshooting Report
      • Stamus Central Server
      • Stamus Network Probe
    • Common Questions
      • TCP reassembly gaps
      • External ELK cluster upgrade
  • Monitoring
    • Observe system health over Rest API
    • Automation code samples
    • Monitoring over SNMP
  • Releases Notes
    • U38.0.0 (2022-05-05)
    • U37.1.0 (2021-10-02)
  • Stamus Support
    • Contacting Stamus Networks support team
    • Accessing Stamus Networks support portal
      • Setting up an account
      • Accessing the support portal
      • Using the support portal
• Developer Corner
  • REST API
    • Generate an Access Token
    • Accessing the REST-API
    • API usage
      • HTTP Methods
      • List Parameters
    • Accessing Host ID
      • Examples
        • cURL
        • Python
        • Direct Link
    • Objects relations
      • SCS and probes
      • Network interfaces
      • Protocols
      • Templates
      • User actions
  • SOAR Integration Examples
    • SOAR Python example code
    • RestAPI explained
      • Token
      • Pagination
        • Customizing Pagination
      • Tenant
      • Date and time
      • How to find a specific RestAPI call
      • RestAPI call result review in a browser
      • RestAPI points
      • Naming Conventions used
    • Automation code samples
      • Host Insights
        • Host Insights for a specific Host - alert based
        • Host Insights for a specific Host
      • Alerts Metadata
      • Hunting Dashboards
      • NTA/NSM
  • Python SDK
  • Data Structure
    • Data schema
    • Data fields
      • DEFAULT
      • STAMUS Specific
      • ALERTS
      • ANOMALY
      • DCERPC
      • DHCP
      • DNP3
      • DNS
      • Fileinfo
      • FLOW
      • FTP
      • FTP_DATA
      • Host Insights
      • HTTP
        • HTTP Header fields
      • IKE
      • KRB5
      • MQTT
      • NETFLOW
      • NFS
      • RDP
      • RFB
      • SIP
      • SMB
      • SMTP
      • SNMP
      • SIGHTINGS
      • STATS
      • SSH
      • TFTP
      • TLS
  • JSON Data Format
    • Common Section
      • Event types
      • PCAP fields
    • Alert Events
    • Anomaly Events
    • HTTP Events
    • DNS Events
    • IKE Events
    • Modbus Events
    • FTP Events
    • FTP_DATA Events
    • TLS Events
    • TFTP Events
    • SMB Events
    • SSH Events
    • FLOW Events
    • RDP Events
    • RFB Events
    • MQTT Events
    • HTTP2 Events
• Community
  • SELKS
  • GopherCap
    • exampleConfig
    • map
    • Replay
    • tarExtract
  • Let’s Chat!
    • Mattermost
    • Discord