9
Data. Network side
Type of event Description Tools/utilities that can be used
Metadata of all downloaded
files
hash, size, name, MIME Type, Source URL, Referrer,
used for downloading user-agent. Checking hashes
against TI feeds
Bro
Suricata
Proxy/NGFW logs
Metadata of email headers /
SMTP metadata
To, From, Subject, received headers, size, used MTA,
reception time, presence of an attachment
Email server logs
Bro
Metadata of email attachments MD5 hash, size, name, MIME Type, link to the
corresponding email metadata
Bro
Homemade scripts
URL from email bodies Checking against threat intelligence feeds. Tracking
emails with links to the file hostings. Checking against
TI feeds
Bro
Homemade scripts
Netflow Can be used to detect data exfiltration, worm malware
activity, lateral movement, port scanning, checking
remote IP-addresses against TI feeds
nfcapd, nfdump
…
Outgoing HTTP/HTTPS Detection of communications with C2, data exfiltration,
checking visited accessed URLs against TI feeds
Proxy/NGFW logs
Bro
Outgoing DNS requests
metadata
Detection of DNS exfiltration, DNS tunneling. Checking
requested hostnames against TI feeds
Bro
DNS server logs
Metadata of SMB / RPC Detection of lateral movement, credentials dumping
(DCSync, remote reg save), internal recon…
Bro