Number of events reported by BLAT is increasing-fireeye-wMPS

Number of events reported by BLAT is increasing-fireeye-wMPS
0

Number of events reported by BLAT is increasing-fireeye-wMPS

Vendor: fireeye

OS: wMPS

Description:
Indeni will alert if number of events reported by BLAT is increasing.

Remediation Steps:
Users are advised to further investigate into the BLAT events reported for any potential security attacks

How does this work?
Indeni uses the FireEye NX “show blat stats” cli command to retrieve the blat information.

Why is this important?
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts. It is important to monitor the number of events and alerts reported, to help futher in detection of any suspicious activity.

Without Indeni how would you find this?
An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.

fireeye-nx-show-blat-stats

name: fireeye-nx-show-blat-stats
description: Fetch blat statistics information
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: fireeye
    os.name: wMPS
    privileged-mode: 'true'
comments:
    fireeye-nx-blat-is-enabled:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is critical to monitor the if blat is enabled or not, to help futher looking into blat metrics.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-packet-received:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the the number of blat packets received, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-static-rules:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to keep track of the number of static rules, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-dynamic-rules:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of dynamic rules added to the file, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-static-bad-rules:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the the number of dynamic rules, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-dynamic-bad-rules:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of dynamic rules that have errors in them, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-events-reported:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of events and alerts reported, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-standby-events-reported:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of events reported on standby unit, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-events-dropped:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of events dropped, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-inline-dropped:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of inline packets dropped, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-inactive-domain:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of inactive domains captured, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
    fireeye-nx-blat-blacklisted-ips:
        why: |
            Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
            It is important to monitor the number of blacklisted IPs visited, to help futher in detection of any suspicious activity.
        how: |
            Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
        without-indeni: |
            An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: show blat stats
    parse:
        type: AWK
        file: show-blat.parser.1.awk

FireEyeNxBlatEventsReportedRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package templatebased.fireeye.nx

import com.indeni.server.rules.library.templates.CounterIncreaseTemplateRule

/**
  *
  */

case class FireEyeNxBlatEventsReportedRule() extends CounterIncreaseTemplateRule(
  ruleName = "FireEyeNxBlatEventsReportedRule",
  ruleFriendlyName = "FireEye NX: Number of events reported by BLAT is increasing",
  ruleDescription = "Indeni will alert if number of events reported by BLAT is increasing.",
  metricName = "fireeye-nx-blat-events-reported",
  applicableMetricTag = "name",
  alertDescription = "Number of events reported by BLAT is increasing.",
  alertRemediationSteps = "Users are advised to further investigate into the BLAT events reported for any potential security attacks",
  alertItemsHeader = "Details"
)()