Netflow Playbook

[mroarkpmp]

I'm running 2.3.250. I'm new to SO, and have been watching videos and reading like crazy. I have a few of my sites sending Netflow data in and it comes up just fine on the dashboard and I can drill down with hunt. My goal is to start using alerts to look for Netflow based IOCs. I've tried a million sigma entries and can't seem to get a Netflow based alert to populate. Can anyone point to existing documentation of it in a working environment? I saw someone reference using a custom sofilter statement, but I wasn't able to find the example or syntax. Thank you in advance for any suggestions!

[cm-ops]

Have you checked out the documentation on sofilter? - https://docs.securityonion.net/en/2.3/playbook.html?highlight=sofilter#tuning-plays

[mroarkpmp]

Thank you for this. I've tried to find netflow queries with Sigma and how to use the sofilter with YAML filtering below it. I've tried numerous possibilities, and have been unsuccessful. I'm at CiscoLive in Las Vegas right now and walking around to anyone and everyone talking about Network Automation and no one that I've talked to has ever heard of Sigma, nor has anyone heard how to write YAML queries for netflow. I've tried to modify this https://github.com/robcowart/elastiflow/blob/master/logstash/elastiflow/definitions/netflow.yml but have been unsuccessful. Hoping that someone has just one example to query the netflow data that correctly shows in the dashboard and hunt. Thanks!

[InfosecGoon]

Can you give us an example of a query or Netflow record in your environment? We should be able to work from that to figure out some rule syntax.

[LNHAVENE]

Hi mroarkmp, did you get a solution for this issue? I need to create a playbook to use net flow logs to detect IPs on my network that are communicating with C2 servers.