Using Zeppelin to Analyze Data

Zeppelin enables you to analyze the enriched telemetry information Metron archives in HDFS.

  1. Bro produces data about a number of different network protocols. View which types of protocols exist in the data.
  2. View when Bro telemetry information was received.
    You can check for any odd gaps and fluctuating periods of high and low activity.

    Bro Telemetry Received

  3. List the most active Bro hosts.

    Most Active Hosts

  4. List any DNS servers running on non-standard ports.

    DNS Servers

  5. List any mime types that could be concerning.

    Mime Types

  6. Explode the HTTP records.
    Each HTTP record can contain multiple mime types. These need to be 'exploded' to work with them properly.

    Exploded HTTP Records

  7. Determine where application/x-dosexec originated.

    Suspicious xdosexc

  8. Take a look at the requests for x-dosexc.

    x-dosexc Requests

  9. Determine when the interactions with the suspicious host are occurring.

    When Interactions Occur

  10. Create an IP report in Zeppelin using the Metron IP Report notebook.
    For a given IP address, this notebook produces a report of:
    • Most frequent connections (YAF defaults to 24 hours)
    • Recent connections (Yaf, defaults to 1 hours)
    • Top DNS queries (Bro, defaults to 24 hours)
    • All ports used (Yaf, defaults to 24 hours)
    • HTTP user agents (Bro, defaults to 24 hours)
  11. Create traffic connection request report using the Connection Volume Report notebook.
    This notebook lets the user get connection counts filtered by a CIDR block. This notebook can be used for Bro, Yaf, and Snort.
Through this brief analysis we uncovered something that looks suspicious. So far we have leveraged only the geo-enriched Bro telemetry. From here, we can start to explore other sources of telemetry to better understand the scope and overall exposure. Continue to investigate our suspicions with the other sources of telemetry available in Metron.
  • Try loading the Snort data and see if any alerts were triggered.

  • Load the flow telemetry and see what other internal assets have been exposed to this suspicious actor.

  • If an internal asset has been compromised, investigate the compromised asset's activity to uncover signs of internal reconnaissance or lateral movement.