Issues with AI Playbook

[Zer0-cyber-web]

Version

2.4.160

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

32

Storage for /

500Gb

Storage for /nsm

16Tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi!
On "Guided analysis" tab - there is a notice says "Some of these playbooks were generated by AI and it's possible that they may not be 100% accurate. Please let us know if you see any issues.".
So - where to I can send report on issue? Like this one, for example:

While:

where are you monitoring traffic?

I monitor entire LAN traffic from SPAN port. There are about 900 hosts and 30 servers. 2 DC controllers, which are DNS-servers for domain hosts.

are you monitoring a busy DNS server that perhaps might be sending queries to upstream DNS servers?

Not quite. As I mentioned above - there are 2 DC, which are DNS for domain hosts. And those DC are sending upstream requeset to our NGFW, which is blocking malicious DNS requests. But not all hosts are in domain, they send DNS request directly to NGFW, which forwards all request to upstream DNS servers.

So - DC in role of DNS are quite busy, yes. But that alert came from Suricate, which monitors content of traffic, not just DNS requests.

Issues as on first screenshot - are happening quite often. Can I do something to improve playbooks efficience?

I have more such questions, and can be a test-data supplier for improvements.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

Thanks for the feedback!

Instant Insight only shows the most recent 5 results - click the Hunt icon to pivot over to Hunt:

And you should see the offending DNS record:

We are looking at tightening these types of queries to be +/-5min instead of 15min to be a bit more accurate.

[Zer0-cyber-web]

Instant Insight only shows the most recent 5 results

I would suggest then to name this question accordingly. Now it sounds:
What was exact .work domain that was queried?

while probably should be:
"What are the most recent DNS queries that are relevant to this aralm" or something like that.

But sometimes it gives correct answer though.

What do you think?

[Zer0-cyber-web]

Instant Insight only shows the most recent 5 results

I would suggest then to name this question accordingly. Now it sounds:
What was exact .work domain that was queried?

while probably should be:
"What are the most recent DNS queries that are relevant to this aralm" or something like that.

But sometimes it gives correct answer though.

What do you think?