Follow

Recall Host Dashboard

The Recall Host Dashboard is the landing page for most users as you pivot from the Host view in Detect to look at historical metadata in Recall.

If a user goes to any host page in the Cognito UI, and clicks on "Investigate in Cognito Recall" on this host view, they are taken to the host dashboard, preconfigured to show a relevant time range, and limited to only show data pertaining to this host.

The Host dashboard offers a historical overview of a host's activity, by default, it will show the time range around the detections for a given host.

In this Article, we'll go through:

  1. The Filter Logic
  2. Interacting with the Host Dashboard
  3. External Data Transfer in & Out
  4. Kerberos & NTLM Logins
  5. RPC Sessions
  6. HTTP Traffic
  7. LDAP Connections

The Filter Logic

The filter that ensures that we only show activity pertaining to our host uses Cognito Recall's Host Identification solution.
As your Cognito Brain sends metadata to Recall, all events are tagged with a unique identifier for a host. This will track hosts even as their IP and hostname changes, which makes it much easier to get an idea of the activity of the host over a period of time.

The filter here is pre-filled by Detect when you pivot across, and it uses Lucene to specify:
"Only show events that match at least 1 of these statements:
our originating host's unique id is X
OR our responding host's unique id is X"

Interacting with the Host Dashboard

Zooming in on a particular time range

An Analyst is able to quickly zoom in on a time period of interest by clicking and dragging on a time range in any of the charts on this dashboard. All of our data will be updated, and this will aloow the user to quickly see what may have been behind a specific spike in Kerberos attempts or data transfer for this host.

Focusing in on a specific host.

If a specific event for a host looks interesting, and an Analyst wants to investigate transfer between our Host and this specific host in more depth, then the results can quickly be filtered down to that host. In any data table, hover over the hostname of the server you want to focus in on, and click on the "+" magnifying glass beside it:

mceclip3.png

Conversely, if you want to exclude communication with a specifc host that you know is benign and is adding noise, you can click on the "-" magnifying glass to exclude communication with this host.

 

Useful fields in Data Tables

The Data tables in the Host dashboard have a lot of commonalities. The count field lists how often a combination of the parameters in the rest of the table were seen, an query/response pair that has occurred frequently may be a sign that this is a common action that does not warrant further investigation.

First seen and last seen can also be useful indicators of activity. If first seen and last seen are within seconds of each other, that can signify that this event was novel and may warrant further investgation. For example, if a User Agent was seen very frequently, but only over the course of a few minutes, that would be a red flag.

Host Dashboard Sections.

External Data Transfer in & Out

mceclip0.png

Our first graph shows data sent to external destinations, and received from external destinations.The Orange line shows data received by this host from external sources, while the Green line shows data sent from this to external source. This graph can help you quickly spot any spikes in data transfer that may warrant investigation.

Connections to External Domains & Internal Connections

mceclip1.png

Below our data transfer graph, there are 2 data tables that help you see the specific external & internal hosts that were connected to.

Both tables are sorted by the count of connections involving this host, to show the most interacted with hosts first, but you can easily sort by a different field by clicking on the title headers.

The Fields listed for external connections are:

  • Domain*  - The domain name interacted with
  • IP* - The IP of the host interacted with
  • Dst Port - The port of the external host that was interacted with
  • Bytes Sent - The sum of bytes sent to this external host over this port
  • Bytes Received - The sum of bytes sent to this external host over this port
  • Count - the total number of connections made to this server/port combination

The Fields listed for internal connections are:

  • Src  - The initiator of the connection.
  • Dst - The responder to the connection. Src or Dst will be the hostname of the host you are investigating
  • Dst Port - The port of the responding host that was interacted with
  • Bytes Sent - The sum of bytes sent from the Src to the Dst host over this port
  • Bytes Received - The sum of bytes sent from the Dst to the Src over this port
  • Count - the total number of connections made between these hosts on this port.

Kerberos & NTLM Logins

mceclip2.png

This section shows login attempts involving this host, and you could use this chart to quickly see any spikes in failed login attempts. In the screenshot above, by hovering over the legend, we can ask the graph to show successful kerberos logins exclusively.

On the right hand side, 2 data tables show the specific servers connected to:

The Kerberos & NTLM Fields are both:

  • Src - The originator of the kerberos/NTLM request
  • Dst - The responding host of the kerberos/NTLM request
  • Account - The account used in this request
  • Auth Status - whether the authentication attempt was successful (true) or a failure (false)
  • First Seen - The first time this authentication attempt was seen within your retention period
  • Last Seen - The most recent time this authentication attempt was seen
  • Count - The number of authentication attempts that failed/succeeded made against this server

It is worth noting that if successful and unsuccessful auth attempts were made, they would show as 2 separate rows in this data table.

RPC Sessions

mceclip0.png

As you scroll further, you can also see RPC sessions involving this host and a list of exactly which servers have been connected to.

RPC sessions are Remote Procedure Call sessions, and these are instances where a server executes a script remotely on another server. This can be used for many malicious purposes, especially in C2.

The fields listed in the data table are:

  • Src - The creator of the RPC session.
  • Dst - The destination of the RPC session.
  • Account - The account used in this request
  • Endpoint - The endpoint used for this request
  • Function - The function called in this request.
  • First Seen - The first time this RPC attempt was seen within your retention period
  • Last Seen - The most recent time this RPC attempt was seen
  • Count - The number of RPC sessions with this specific function made against this server.

HTTP Traffic

mceclip1.png

Our next section shows HTTP & DNS connections, including a drilldown on what DNS requests were made, the paths requested, and the User Agents used. HTTP is a common vector used, and this section lets you investigate that. You can quickly see if any spikes in HTTP or DNS traffic occurred, and then investigate specific events through the data tables beside it.

The fields listed in the DNS data table are:

  • Query - The URL that the request is looking to lookup
  • Answer - The server which the DNS server has found for the queried URL.
  • Request Status - The response to the given query, e.g. NXDOMAIN or NoError.
  • Count - The number of times a DNS lookup has been requested for a given url/server pair.

The fields listed in the HTTP Destinations data table are:

  • URI - The path accessed in the URL. This is stripped of the host involved, to reveal any patterns in accessed paths across multiple hosts.
  • Method - The method used to access this path (GET/HEAD/POST etc.)
  • Count - The number of times a request of a given type has been made against a path.

The fields listed in the User Agent data table are:

  • User-Agent - The User-Agent header as specified in the HTTP Requests that were monitored. Novel User-Agents may warrant further investigation, and this may give you an insight into the cause for this traffic.
  • First Seen - The first time this user-agent was seen performing HTTP requests within your retention period
  • Last Seen - The most recent time this user agent was seen
  • Count - The number of times this User Agent performed HTTP requests

LDAP Connections

mceclip2.png

Finally, we have a section on any LDAP connections made involving this server. This may mean any requests made against the Directory Service from this host, or if this host is a directory service, than all requests made against it.

The fields listed in the User Agent data table are:

  • Src  - The initiator of the connection.
  • Dst - The responder to the connection. Src or Dst will be the hostname of the host you are investigating
  • Query - The query made against the directory service in this connection.
  • Result - The response from the directory service to the query
  • First Seen - The first time this host asked for this given query and received that specific within your retention period.
  • Last Seen - The most recent time this host, query, result pair was seen.
  • Count - The number of times this host, query, result pair was requested over your query window.

 

Was this article helpful?
1 out of 1 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.