Defensive Report Blue Team: Summary of Operations Table of Contents Network Topology Description of Targets Monitoring the Targets Patterns of Traffic & Behavior Suggestions for Going Further Network Topology The following machines were identified on the network: Elk Operating System : Linux, Ubuntu Purpose :SIEM IP Address : 192.168.1.100 Capstone Operating System : Linux, Ubuntu Purpose : Vulnerable machine used to test alerts IP Address : 192.168.1.105 Kali Operating System : Linux, Kali Purpose : Standard kali install used to attack other machines IP Address : 192.168.1.90 Target1 Operating System : Linux, Debian Purpose : Exposes vulnerable WordPress Server that sends logs to ELK IP Address : 192.168.1.110 Target2 Operating System : Linux, Debian Purpose : A more difficult WordPress target. Server that sends logs to ELK IP Address : 192.168.1.115 Description of Targets The target of this attack was: Target 1 |192.168.1.110 . Target 1 is an Apache web server and has SSH enabled, so ports 80 and 22 are possible ports of entry for attackers. As such, the following alerts have been implemented: Monitoring the Targets Traffic to these services should be carefully monitored. To this end, we have implemented the alerts below: HTTP Request Size Monitor Alert 1 is implemented as follows: Metric : http.request.bytes Threshold : 3500 Vulnerability Mitigated : Denial of Service Reliability : This alert generates some false positives because when the site is very busy it will alert, however using this allert will be able to deterime when it is time for an upgrade to allow for more traffic. Excessive HTTP Errors Alert 2 is implemented as follows: Metric : http.response.status_code Threshold : 400 Vulnerability Mitigated : Denial of Service Reliability : This alert does not generate as many false positives because it is looking for when the site replys to a user with an error. CPU Usage Monitor Alert 3 is implemented as follows: Metric : system.process.cpu.total.pct Threshold : 0.5 Vulnerability Mitigated : Denial of Service Reliability : This alert generates some false positives because on more busy days this alert will pick up that the system is being used more.