Table of Contents¶
- Concepts
- Clear NDR® Capabilities
- DoC & DoPV
- Host Insights
- Outlier Alerts
- Conditional Logging
- Approaching Threat Hunting
- Detection and Event Enrichment Flow
- Analyst manual
- Security Posture
- Analyzing Compromises
- Declaration of Compromise®
- Definition
- Powerful Security Alert Noise Reduction
- The Anatomy of a DoC
- Threat Coverage
- Custom DoCs
- Viewing the DoCs in the Hunt and Investigation Console
- How to Identify DoCs Using a SIEM Query
- DoC Interface Overview
- Impacted Assets
- Investigation Routines for DoC
- Declaration of Compromise®
- Analyzing Violations
- Analytics
- Beaconing
- Sightings
- Detection Methods
- Newly Registered Domains (NRD)
- SMB Insights
- Anatomy of a detection event
- Application layer
- Flow_id
- Flow section
- Metadata section (flowbits)
- Method information
- FQDN breakdown for HTTP, TLS and DNS
- Tagging and Classification
- SMTP Enrichment
- Source and Target
- Organisational Context
- MAC address
- FQDN additions
- Discovery info
- GeoIP
- TLS Cipher analytics
- TLS JA4
- TLS ALPN
- DCERPC function name mappings
- Number of transactions in a flow
- SSH hassh, client and server software
- UUID per event
- Additional resources
- Encryption
- Introduction / Setup
- Logs and detection
- Logs
- Detection
- NRD
- SIGHTINGS
- DNS over HTTPS (DoH)
- TOR detection
- HTTPS/TLS File Sharing Services
- Red-Listed Malicious TLS Communication
- Malicious TLS Communication Categories
- Cipher analytics
- JA4
- ALPN
- Available Dashboards and Visualizations
- Encryption Services Running on Hosts
- HTTPS Proxy
- Encrypted Transfers
- Suspicious Transfers
- Exfiltration
- Machine Learning-Enabled TLS Beaconing Detection
- Decryption
- Evidence
- Hunting
- Hunting Filters
- Default hunting filters
- Proactive Threat Hunting
- Introduction to Guided Threat Hunting Filter Sets
- User Defined Filters
- IP Filter
- ES Filters
- Specific Filters
- Creating Filter Sets
- Complete List of Predefined Hunting Filter Sets
- Adware Filter Sets (1)
- Anomaly Filter Sets (6)
- Compliance Filter Sets (1)
- Hunt Filter Sets (86)
- Info Filter Sets (6)
- MITRE Filter Sets (7)
- Phishing Filter Sets (2)
- Policy Filter Sets (20)
- Roles Filter Sets (4)
- Services Filter Sets (7)
- Trojan Filter Sets (1)
- SCADA / OT / IoT Filter Sets (6)
- Investigate Filter Sets (10)
- After the Initial Hunt
- Kibana Dashboards
- Dashboards and Visualizations Reference
- Dashboard: SN-ALERTS
- Dashboard: SN-ALERTS-CVE
- Dashboard: SN-ALERTS-EXE-HUNT-1
- Dashboard: SN-ALERTS-PHISHING
- Dashboard: SN-ALL
- Dashboard: SN-ANOMALY
- Dashboard: SN-BEACONING-TLS
- Dashboard: SN-DCERPC
- Dashboard: SN-DHCP
- Dashboard: SN-DNP3
- Dashboard: SN-DNS
- Dashboard: SN-DNS-HUNT-Tunnel
- Dashboard: SN-FILE-Transactions
- Dashboard: SN-FLOW
- Dashboard: SN-FLOW-DCERPC
- Dashboard: SN-FLOW-DHCP
- Dashboard: SN-FLOW-DNP3
- Dashboard: SN-FLOW-DNS
- Dashboard: SN-FLOW-ENIP
- Dashboard: SN-FLOW-FTP
- Dashboard: SN-FLOW-FTP-DATA
- Dashboard: SN-FLOW-HTTP
- Dashboard: SN-FLOW-HTTP2
- Dashboard: SN-FLOW-HUNT-DNS-EXFIL
- Dashboard: SN-FLOW-HUNT-ICMP-Possible-EXFIL
- Dashboard: SN-FLOW-IKE
- Dashboard: SN-FLOW-KRB5
- Dashboard: SN-FLOW-MODBUS
- Dashboard: SN-FLOW-MQTT
- Dashboard: SN-FLOW-NFS
- Dashboard: SN-FLOW-NTP
- Dashboard: SN-FLOW-RFB
- Dashboard: SN-FLOW-SIEMENS-S7
- Dashboard: SN-FLOW-SIP
- Dashboard: SN-FLOW-SIZE
- Dashboard: SN-FLOW-SMB
- Dashboard: SN-FLOW-SMTP
- Dashboard: SN-FLOW-SNMP
- Dashboard: SN-FLOW-SSH
- Dashboard: SN-FLOW-TCP
- Dashboard: SN-FLOW-TELNET
- Dashboard: SN-FLOW-TFTP
- Dashboard: SN-FLOW-TLS
- Dashboard: SN-FLOW-UDP
- Dashboard: SN-HTTP
- Dashboard: SN-HTTP-HUNT
- Dashboard: SN-HUNT-1
- Dashboard: SN-IDS
- Dashboard: SN-IKEv2
- Dashboard: SN-IoC-Search
- Dashboard: SN-KRB5
- Dashboard: SN-MQTT
- Dashboard: SN-Network-Overview
- Dashboard: SN-Network-Overview-1
- Dashboard: SN-Network-Overview-2
- Dashboard: SN-NFS
- Dashboard: SN-OVERVIEW
- Dashboard: SN-POLICY-OLD-TLS
- Dashboard: SN-POLICY-Violations
- Dashboard: SN-POSTPROC-Stats
- Dashboard: SN-Proxy
- Dashboard: SN-RDP
- Dashboard: SN-RFB
- Dashboard: SN-SIGHTINGS
- Dashboard: SN-SIGNATURE-Performance
- Dashboard: SN-SIP
- Dashboard: SN-SMB
- Dashboard: SN-SMB-DCERPC-Lateral-1
- Dashboard: SN-SMB_INSIGHTS
- Dashboard: SN-SMTP
- Dashboard: SN-SNMP
- Dashboard: SN-SSH
- Dashboard: SN-STAMUS
- Dashboard: SN-STATS
- Dashboard: SN-TFTP
- Dashboard: SN-TLS
- Dashboard: SN-TrafficID
- Dashboard: SN-VLAN
- Administration
- Overview
- Authentication
- Clear NDR® Central Server settings
- Capture Settings
- Network Security Monitoring Settings
- Change NSM settings for a probe
- Enable or disable protocols for a probe
- Common settings for protocols
- Add custom or extended HTTP information
- Add custom or extended SMTP information
- Add custom DNS information
- Add packet data or payload to the alerts information
- File handling capabilities
- Enable or disable file extraction for a probe
- Add Hahsum, file magic or mimetype information
- Rule Activity for a probe
- Declarations of Compromise®
- Declarations of Policy Violation®
- Events Filtering
- File Extraction
- Conditional PCAP logging
- Global Configuration
- Network Definitions
- Probe Registration
- Probe Templates
- Stamus Loggers
- Run Your Own Defense (RYOD)
- Sources & Rulesets
- Suricata Sensors
- Threat Intelligence
- Integrations
- Architectures
- Maintenance
- Licensing
- Preparing the Installation
- Installing Clear NDR® Central Server
- Installing the Manager and the Network Probe
- Installing the Manager and the Network Probe using the OVF virtual images
- Installing the license
- Registering a Network Probe
- Management IP address
- Adding public sources (optional)
- Adding a Ruleset
- Attach the Ruleset to the Network Probe
- Update the ruleset
- Stamus Network Appliances
- USB Installation
- Backup & Restore
- Systems Upgrade
- Troubleshooting
- Monitoring
- Stamus Support
- Security Upgrade Policy
- Developer Corner
- Community