Automatic Lookback on Events

CYBERQUEST exposes functionalities for looking back into events, in order to trace and cross correlate new information with past received information. For this particular purpose, Data Transformation Service exposes the following methods, which can be used when creating a script:

Events class:

getCount (query, days = 0) // returns the number of matches for a particular query. The query could be any query string. Please refer to the query syntax.
getBackLogs (query, days = 0, maxcount = 100) // returns the events based on the query, ordered descending by localtime, maxcount of events.

These methods can be used by accessing the Rules > DTS Objects section, adding an object and creating a custom script. The syntax presented below can be used together with the informaton from the Threat Intelligence Source. In this way, each new Indicator of Compromise (IOC) is validated against the backlog and if events are found with those malitious IP addresses an alert can be raised:

let query = "SourceIP:192.168.1.1 OR DestinationIP:192.168.0.1";

let numberOfEvents = Events.getCount(query, 30);

if (numberOfEvents > 2) {

    let cqEvents = Events.getBackLogs(query, 30);

    Alert.create({
        emails:"notificaitAddress1@company.com, notificaitAddress2@company.com", // separated by comma
        name:"Alert created by DTS for backEvents",
        secLevel:5, // security level (between 1-10) 
        secScore:10 // security score (between 1-100)
        inputLogs:cqEvents
    });
}

You can access the following link to see how to create a DTS alert.