How To Create Modules
Modules help us look up within multiple attack vectors. Modules get triggered via Workbooks i.e. as per the logic set in its query, and when executed, help us visualize threat-related data such as types of attacks which happens and relevant module getting triggered which in turn helps us with relevant intel.
For example, if there is a “Brute Force” attack on a client’s website’s login screen, then we can effectively pull out relevant information regarding this attack, such as “Source IP Address”, “Event Name”, “Type of Attack”,”Source Country” and other relevant details as needed.
Now, let’s create a module in our DNIF Console.
Getting to the ‘Module’ section
Click on the “Management” tab, which you’ll find on the top left corner of the console, as shown in the screenshot below:
You’ll now see a sub-menu i.e. a drop down. Click on the option named “Repository”.
You are now ready to create your first Module.
Creating a module
Let’s create our first “Module” by clicking on the ‘+’ button at the top right hand corner. From the drop down menu, select the option named “Module”, as shown in the screenshot below:
You should now be greeted with the “New Module” Template.
You now have to fill up the details in the visible sections of this form, namely:
Enter any name or identifier with which you would like to identify this module. For now, let’s name it “Sample Module”.
The value for this field gets automatically created when you enter any text in the “Name” field. This field basically acts as a label in order to uniquely identify the module.
This field needs to have a parameter name like
$Field1. In our example, you can see that we are using
$DstIP i.e. Destination IP Address. This will provide relevant sub-information in context with the workbook query which will trigger the same.
Choose between “active” or “inactive” to enable or disable the module as per the use case or requirements. The module is set to “active” by default.
In this section, enter any text that summarizes the module and its purpose. For our example, we have filled the description section with “Web Scan Detected”.
In this section, enter any text with the purpose of identifying this workbook in a simple glance from the repository view. In our example, we have entered the text “Web Application Firewall Log”.
In this section, we have the option to enter relevant tags or words for easy categorization of the workbook. In our example we have entered “DstiP”
This field provides us with the option of selecting the fields that should be responsible for this module or event to be triggered contextually.
Saving the Module
Once you’ve filled up these fields, you should be able to see something like this:
You can either click on the “Save” button at the bottom of the page as shown in the screenshot above or click on the button “Add Context Menu” to continue building your module.
Let’s explore the “Add Context Menu” a little more.
Adding a Context Menu
The Context Menu allows you to further narrow down the sub-information that you want your module to show.
When you click on “Add Context Menu”, you should see something like this:
Add an identifier for your query context in “Name”. The actual query can be typed into “Query”. For our example, we want to see the unique count of those source IPs that have sent malicious packets to the connected webservers within the last 6 hours.
Name: Web Scan
_fetch * from event where $Duration=6h AND $LogType=WEBSERVER group count_unique $SrcIP limit 10
With all fields having information filled up, the screen should look like this:
Go ahead can hit the “Save” button
And just like that, we have successfully created a Module!