How To Create Modules


Overview

Modules help us look up within multiple attack vectors. Modules get triggered via Workbooks i.e. as per the logic set in its query, and when executed, help us visualize threat-related data such as types of attacks which happens and relevant module getting triggered which in turn helps us with relevant intel.

For example, if there is a “Brute Force” attack on a client’s website’s login screen, then we can effectively pull out relevant information regarding this attack, such as “Source IP Address”, “Event Name”, “Type of Attack”,”Source Country” and other relevant details as needed.

Now, let’s create a module in our DNIF Console.

Procedure

Getting to the ‘Module’ section

Click on the “Management” tab, which you’ll find on the top left corner of the console, as shown in the screenshot below:

Select MANAGEMENT menu

You’ll now see a sub-menu i.e. a drop down. Click on the option named “Repository”.

Select REPOSITORY sub menu

You are now ready to create your first Module.

Create MODULES to label varied security threats

Creating a module

Let’s create our first “Module” by clicking on the ‘+’ button at the top right hand corner. From the drop down menu, select the option named “Module”, as shown in the screenshot below:

Click on the plus icon

You should now be greeted with the “New Module” Template.

Fill up the required fields within NEW MODULE section

You now have to fill up the details in the visible sections of this form, namely:

Name

Enter any name or identifier with which you would like to identify this module. For now, let’s name it “Sample Module”.

Slug

The value for this field gets automatically created when you enter any text in the “Name” field. This field basically acts as a label in order to uniquely identify the module.

Pivot Data

This field needs to have a parameter name like $Field1. In our example, you can see that we are using $DstIP i.e. Destination IP Address. This will provide relevant sub-information in context with the workbook query which will trigger the same.

Status

Choose between “active” or “inactive” to enable or disable the module as per the use case or requirements. The module is set to “active” by default.

Description

In this section, enter any text that summarizes the module and its purpose. For our example, we have filled the description section with “Web Scan Detected”.

Reference

In this section, enter any text with the purpose of identifying this workbook in a simple glance from the repository view. In our example, we have entered the text “Web Application Firewall Log”.

Tags

In this section, we have the option to enter relevant tags or words for easy categorization of the workbook. In our example we have entered “DstiP”

Event Type

This field provides us with the option of selecting the fields that should be responsible for this module or event to be triggered contextually.

Saving the Module

Once you’ve filled up these fields, you should be able to see something like this:

Click on SAVE

You can either click on the “Save” button at the bottom of the page as shown in the screenshot above or click on the button “Add Context Menu” to continue building your module.

Let’s explore the “Add Context Menu” a little more.

Adding a Context Menu

The Context Menu allows you to further narrow down the sub-information that you want your module to show.

When you click on “Add Context Menu”, you should see something like this:

Add further context to your data for deeper insights

Add an identifier for your query context in “Name”. The actual query can be typed into “Query”. For our example, we want to see the unique count of those source IPs that have sent malicious packets to the connected webservers within the last 6 hours.

  • Name: Web Scan

  • Query:

       _fetch * from event where $Duration=6h AND $LogType=WEBSERVER group  count_unique $SrcIP limit 10
    

With all fields having information filled up, the screen should look like this:

When all the fields are filled up

Go ahead can hit the “Save” button

And just like that, we have successfully created a Module!