“The world is full of obvious things which nobody by any chance ever observes.”
In the preceding chapter, we laid out the basic foundations of creating queries for reports based on the data available. Most of the query ideas presented were limited, based on looking for specific indicators and previously known activity. Additionally, most of the queries were based on looking at events in a single data source, or events related to the activity of a single host. Certainly, using known indicators or finding indicators in your data to create new reports goes a long way. However, you can dig a little deeper by applying more sophisticated analysis to your event data to uncover indicators and additional patterns not evident through basic searching. Statistics provide tools and methods for sorting through your security event data in ways that are less obvious than matching an event to a single, static indicator. It will also help to find the outliers and the commonalities in the data, which can also yield valuable information.
In this chapter, we’ll cover:
More false positive elimination strategies
How to identify and filter common traffic
How to detect anomalous traffic
How to pair statistical formulae with security event data to discover incidents
It probably comes as no surprise that there is no specific, objective “dividing line” between what makes a query basic or more advanced. It doesn’t matter either ...