This time, Arcadia wants to query their Suricata IDS table to look for relevant threats that are not trojans. Then, they want to geographically represent these threats in a map. Let’s go!
- Open the ids.suricata.fast data table.
- We already know that we do not want to focus on trojans, so we could use a negative
weakhasover the signature field. - This might not get rid of all entries containing trojan information on other fields different than signature. Can you devise additional ways of getting rid of trojan-related events?
- Let’s continue by enriching with new fields for latitude and longitude using the src_ip field as the argument.
- Now group every 30 minute by these new fields.
- Remember to filter after enriching too.
- Then group every 30 minutes by the new geolocation fields.
- Aggregate the data with a
countoperation.
A query representing the previous steps would look like this one:
from ids.suricata.fast
where not weakhas(signature,"trojan")
select mm2latitude(src_ip) as latitude,
mm2longitude(src_ip) as longitude
where isnotnull(latitude),
isnotnull(longitude)
group every 30m by latitude, longitude
select count() as count
- Now set the query as the data source of a heatmap widget. Save the changes.
- Open the properties panel of the widget and enter the visual tab.
- Set the zoom level to 4.
