{

"update_check_enabled": true,

"threat_intel": {

// Configuration for custom threat intel feeds

// Allowed format for the contents of both online feeds and custom file feeds is one IP or domain per line

// Online feeds must be valid URLs

"online_feeds": [

"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"

]

},

"filtering": {

# These are filters that affect the import of connection logs. They

# currently do not apply to dns logs.

# A good reference for networks you may wish to consider is RFC 5735.

# https://tools.ietf.org/html/rfc5735#section-4

// internal_subnets identifies the internal network, which will result

// in any internal to internal and external to external connections being

// filtered out at import time. Reasonable defaults are provided below,

// but need to be manually verified before enabling.

"internal_subnets": [

"10.0.0.0/8",

"172.16.0.0/12",

"192.168.0.0/16",

"fd00::/8"

], # Private-Use Networks RFC 1918 and ULA prefix

// always_included_subnets overrides the never_included_* and internal_subnets section,

// making sure that any connection records containing addresses from these arrays are kept and not filtered

// Note: the IP address of a proxy must be included here if the proxy is internal

"always_included_subnets": [

], // array of CIDRs

"always_included_domains": [

], // array of FQDNs

// connections involving ranges entered into never_included_subnets are filtered out at import time

"never_included_subnets": [

], // array of CIDRs

"never_included_domains": [

], // array of FQDNs

"filter_external_to_internal": true // ignores any entries where communication is occurring from an external host to an internal host

},

"scoring": {

"beacon": {

// The default minimum number of unique connections used for beacons analysis.

// Any two hosts connecting fewer than this number will not be analyzed. You can

// safely increase this value to improve performance if you are not concerned

// about slow beacons.

"unique_connection_threshold": 4, // min number of unique connections to qualify as beacon

// The score is currently comprised of a weighted average of 4 subscores.

// While we recommend the default setting of 0.25 for each weight,

// these weights can be altered here according to your needs.

// The sum of all the floating point weights must be equal to 1.

"timestamp_score_weight": 0.25,

"datasize_score_weight": 0.25,

"duration_score_weight": 0.25,

"histogram_score_weight": 0.25,

// The number of hours seen in a connection graph representation of a beacon must

// be greater than this threshold for an overall duration score to be calculated.

// Default value: 6

"duration_min_hours_seen": 6,

// This is the minimum number of hours seen in a connection graph representation

// of a beacon for the consistency subscore of duration to score at 100%

// Default value: 12 (half the day)

"duration_consistency_ideal_hours_seen": 12,

// The histogram score has a subscore that attempts to detect multiple

// flat sections in a connection graph representation of a beacon. The

// variable below controls the bucket size for grouping connections.

// This is expressed as a percentage of the largest connection count. For example,

// if the max connection count is 400 and this variable is set to 0.05 (5%),

// the bucket size will be 20 (400*0.05=20). As you make this variable

// larger, the algorithm becomes more forgiving to variation.

// Default value 0.05

"histogram_mode_sensitivity": 0.05,

// This is the number of buckets that can be considered outliers and dropped

// from the calculation.

// Default value: 1

"histogram_bimodal_outlier_removal": 1,

// This is the minimum number of hours seen in a connection graph representation

// of a beacon before the bimodal subscore score is used.

// Default value: 11 (sets the minimum coverage to just below half of the day)

"histogram_bimodal_min_hours_seen": 11,

"score_thresholds": {

// beacon score

"base": 50,

"low": 70,

"medium": 90,

"high": 100

}

},

"long_connection_score_thresholds": {

// duration, in seconds

"base": 3600, // 1 hour

"low": 14400, // 4 hours

"medium": 28800, // 8 hours

"high": 43200 // 12 hours

},

"c2_score_thresholds": {

// number of subdomains

"base": 100,

"low": 500,

"medium": 800,

"high": 1000

},

"strobe_impact": {

"category": "high" // any strobes will be placed in the high category

},

"threat_intel_impact": {

"category": "high" // any threat intel hits will be placed in the high category

}

},

"modifiers": {

"threat_intel_score_increase": 0.15, // score +15% if data size >= 25 MB

"threat_intel_datasize_threshold": 25000000, // 25MB (as bytes)

"prevalence_score_increase": 0.15, // score +15% if prevalence <= 2%

"prevalence_increase_threshold": 0.02,

"prevalence_score_decrease": 0.15, // score -15% if prevalence >= 50%

"prevalence_decrease_threshold": 0.5, // must be greater than the increase threshold

// first seen scoring only applies to rolling datasets

// ** a dataset should be imported as rolling only if the logs are current (within the past 24 hours) i.e: coming from a live zeek sensor **

"first_seen_score_increase": 0.15, // score +15% if first seen <= 7 days ago

"first_seen_increase_threshold": 7,

"first_seen_score_decrease": 0.15, // score -15% if first seen >= 30 days ago

"first_seen_decrease_threshold": 30, // must be greater than the increase threshold

"missing_host_count_score_increase": 0.1, // +10% score for missing host header

"rare_signature_score_increase": 0.15, // +15% score for connections with a rare signature

"c2_over_dns_direct_conn_score_increase": 0.15, // +15% score for domains that were queried but had no direct connections

"mime_type_mismatch_score_increase": 0.15 // +15% score for connections with mismatched MIME type/URI

},

"months_to_keep_historical_first_seen": 3,

"batch_size": 100000

}