• Concepts
    • Declaration of Compromise
    • Approaching Threat Hunting
  • Versions
    • 38.0.0
    • 39.0.0
    • 40.0.1 (latest)
  1. Documentation
  2. Administration
  3. External Links Templates
  • Concepts
    • Approaching Threat Hunting
    • Declaration of Compromise
    • Declaration of Policy Violation
    • Detection and Event Enrichment Flow
    • The Most Powerful Capabilities
  • Stamus Security Platform
    • Stamus Central Server
    • Stamus Networks Probe
    • Security Posture
    • Compromises
    • Analytics
    • Encryption
    • Evidence
    • Hunting
    • Hunting Filters
    • Kibana Dashboards
    • Feature Request
  • Administration
    • Overview
    • Authentication
    • SCS settings
    • Capture Settings
    • Network Security Monitoring Settings
    • Declarations of Compromise
    • Declarations of Policy Violation
    • Events Filtering
    • File Extraction
    • Conditional PCAP logging
    • Global Configuration
    • Network Definitions
    • Probe Registration
    • Probe Templates
    • Stamus Loggers
    • Run Your Own Defense (RYOD)
    • Sources & Rulesets
    • Splunk
    • Suricata Sensors
    • Threat Intelligence
    • Webhooks
    • External Links Templates
  • Architectures
    • Single Tenant
    • Multiple Tenants
    • Cloud Installations
    • Deployment Guidelines
  • Maintenance
    • Licensing
    • Preparing the Installation
    • Installing Stamus Central Server
    • Stamus Network Appliances
    • USB Installation
    • Backup & Restore
    • Systems Upgrade
    • Troubleshooting
    • Monitoring
    • Releases Notes
    • Stamus Support
  • Developer Corner
    • REST API
    • SOAR Integration Examples
    • Python SDK
    • Data Structure
    • JSON Data Format
  • Community
    • SELKS
    • GopherCap
    • Let’s Chat!

External Links Templates¶

The Stamus Security Platform includes a feature that allows users to create External Links Templates, enabling quick access to external databases or resources for further investigation based on event data. This functionality is accessible through the External links page under the Administration panel.

Concept¶

With the help of the the External Links Templates feature, users can define custom links and query external databases, organizations inventory systems, EDR systems, research resources, or any other relevant sites, including search engines. These templates can be linked to specific entities (like Hostname, Port, IP, etc.) found within the event data of the Stamus Security Platform.

How This Enhances Intrusion Detection and Response:

Traditional security tools, such as antivirus or endpoint protection systems, often rely on static databases for threat detection. In contrast, External Links Templates offer dynamic and customizable access to the latest threat intelligence available. By using these templates, users can quickly verify and analyze suspicious entities, like IP addresses or domain names, against up-to-date external threat intelligence sources.

This provides an significant enhancement to analysts investigation process and capabilities, allowing for querying and correlating information from other available sources - public or organisation internal alike.

Supported Entities and Detection Capabilities:

The Stamus Security Platform supports a wide range of entities for linking with external resources, including IP addresses, Hostnames, Ports, Usernames, MITRE tactics, and more.

For instance, if a template is set up for Hostnames, it can provide insights on various network activities such as TLS, HTTP, or other protocols. This expands the breadth of investigation possibilities, enabling users to gather comprehensive intelligence on entities observed in network traffic, thereby offering a more holistic threat detection and response mechanism.

Key Features¶

  • Customizable Templates: Users can create templates that link to external resources based on specific entities (e.g., IP addresses, Hostnames) or can choose to enable the template for all event values within the platform.

  • Dynamic Linking: The template URL dynamically inserts the selected event value using the syntax {{ value }}. For example, a template might use the syntax https://example.com/search?q={{ value }} to query an external database with the selected entity.

  • Right-click Menu Integration: Once created, the template appears in the right-click contextual menu of relevant event values, allowing for quick access to external resources directly from the Stamus Security Platform.

  • Enhanced Investigation: This feature streamlines the investigation process by providing immediate access to external information on suspicious entities, thereby improving the speed and effectiveness of threat analysis.

Creating a Template¶

In order to create an External Links Template, you need to:

  1. Navigate to NDR app > Administration > External links

  2. Click on Create Template

  3. Fill in the fields:

    • Name: Enter a descriptive name for the template

    • Template URL: Provide the URL with the entity placeholder, e.g., https://example.com/search?q={{ value }}

  4. Choose whether to always show the template or only show it for selected entities by selecting either:

    • Always show template - visible for all entities / event values

    • Only show template for selected entities - choose from the list of entities (e.g., IP, Hostname, Port)

  5. Save the template.

Note

The External Links Templates can also be edited or deleted from the External links page.

Detection and Event Enrichment Flow Detection and Event Enrichment Flow

Using the Template¶

  • After creating the template, it will appear in the right-click menu of relevant event values in the Stamus Security Platform.

  • Right-click on an event value (e.g., an IP address) and select the external link template to be redirected to the corresponding page on the external site, where detailed information about the event value can be reviewed.

Example Usage¶

Suppose you created a template to search for Hostnames using the syntax https://example.com/search?q={{ value }}: - Navigate to Dashboards > HTTP Information > Hostnames and select a hostname of interest.

  • Right-click on the Hostname and select your template from the menu.

  • You will be redirected to the external site with relevant results displayed, enabling further analysis.

Detection and Event Enrichment Flow

Detailed Insight from External Databases¶

By using the feature, you will have direct access to external databases, which often provide valuable information such as:

  • Entity Status: Information on whether an entity (e.g., IP, domain) is currently flagged as malicious, suspicious, or safe.

  • Related Metadata: Additional context like threat type, reporting source, historical activity, and associated threat actors or malware families.

  • Current and Historical Data: Insights into the entity’s past and present status, aiding in understanding the timeline of its involvement in malicious activities.

External Links Templates offer a powerful way to extend the investigation capabilities of the Stamus Security Platform by integrating it with external intelligence and research databases. This provides a more comprehensive understanding of potential threats and incidents, enhancing the intrusion detection and response through seamless access to real-time, detailed threat data.

Detection and Event Enrichment Flow
Page Content
  • External Links Templates
    • Concept
    • Key Features
    • Creating a Template
    • Using the Template
    • Example Usage
    • Detailed Insight from External Databases