offline:wrccdc_pcaps_results
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
offline:wrccdc_pcaps_results [2018/05/12 22:11] – [Viewing IDS Alerts] veera | offline:wrccdc_pcaps_results [2018/05/12 23:48] – [Retro Analysis - view advanced counters] veera | ||
---|---|---|---|
Line 10: | Line 10: | ||
* Part 3: Screenshots & video of analysis paths (using TrisulNSM) | * Part 3: Screenshots & video of analysis paths (using TrisulNSM) | ||
- | Now lets see some screenshots that will give you an idea of where to start. | + | Time to show and tell. |
+ | ===== Video showing UI navigations ===== | ||
+ | |||
+ | Trisul has a ton of features and it can be a bit daunting at first where to start, where to go next and so fortm. A sample video made by one of our engineers showing the various places where you can start and gives you a feel for the capabilities. // | ||
+ | |||
+ | {{youtube> | ||
===== Monitoring Techniques ===== | ===== Monitoring Techniques ===== | ||
Line 18: | Line 24: | ||
==== Start from PCAP Summary Dashboard==== | ==== Start from PCAP Summary Dashboard==== | ||
+ | |||
+ | //Open with Dashboards > Show All > scroll down to the bottom and locate PCAP Summary// | ||
+ | |||
+ | The best place to start is the PCAP summary. Wireshark users can think of it as a supercharged '' | ||
+ | |||
[{{ : | [{{ : | ||
==== Hosts Dashboard ==== | ==== Hosts Dashboard ==== | ||
+ | |||
+ | //Open with Dashboards > Hosts// | ||
+ | |||
+ | The Hosts dashboard is a good top level dashboard to give you a baseline view of host activity. See which internal and external are most active. By volume, by connections, | ||
{{ : | {{ : | ||
Line 29: | Line 44: | ||
==== Get an overview of flow activity ==== | ==== Get an overview of flow activity ==== | ||
+ | //Open with Dashboards > Sessions// | ||
+ | |||
+ | This is a favorite starting point. You can see the PCAP dump from a flow perspective, | ||
[{{ : | [{{ : | ||
==== Viewing IDS Alerts | ==== Viewing IDS Alerts | ||
+ | Another great baseline place to start. Remember from Part-1 in addition to Trisul , we also run Suricata with ALL rules from ET-Open ruleset. The alerts generated by this give us a fairly good idea of the hygiene of the network. In this case, as you would expect there are a ton of NMAP scans, a few ETERNALBLUE and other alerts. You can use the " | ||
{{ : | {{ : | ||
Line 39: | Line 58: | ||
==== Retro Analysis - view advanced counters ==== | ==== Retro Analysis - view advanced counters ==== | ||
+ | |||
+ | //To open : Retro > Retro Counters // | ||
+ | |||
+ | The retro analysis tools let you select arbitrary timeframe in the past and then drilldown into that. Since TrisulNSM is a streaming analytics tool, it can handle very large timeframes easily compared to search based tools. | ||
[{{ : | [{{ : | ||
- | Here we are seeing | + | You have to select a time frame from the bandwidth chart and then select one of the 40+ " |
[{{ : | [{{ : | ||
Line 48: | Line 72: | ||
- | Explore flows | + | ==== Explore flows ==== |
- | {{ : | + | [{{ : |
- | Trisul EDGE: Graph analytics discover relationships | + | ==== Trisul EDGE: Graph analytics discover relationships |
- | [{{ : | + | [{{ : |
==== File Extraction ==== | ==== File Extraction ==== | ||
Line 82: | Line 106: | ||
- | |||
- | ===== Video showing UI navigations ===== | ||
- | |||
- | A sample video made by one of our engineers showing the analysis paths. | ||
- | |||
- | Follow this link : https:// | ||
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera