A list of demo models to trigger Workbench alerts for your cloud account.
The following are a list of demonstration models used to test your Cloud Detections
for AWS VPC Flow Logs integration. Running the listed models creates an alert in the
Workbench app.
Demo Model - Network connection to known suspicious IP address
Use these steps to trigger the detection model and create a Workbench alert for AWS
VPC Flow Logs.
Procedure
- Create a batch file with the following command:
ping 5.135.115.193 - Sign in to the AWS account you want to use to test XDR for Cloud - VPC Flow Logs.
- Set up an EC2 instance.
- Connect to the EC2 instance and run the batch file.
- In the Trend Vision One console, go to to view the generated alert.
Threat Intelligence sweeping test for AWS VPC Flow Logs
Create a demo report to test the sweeping capabilities of Threat Intelligence.
Use the following steps to create a demo report for Threat Intelligence sweeping and
generate an alert in the Workbench app.
Procedure
- In the Trend Vision One console, go to .
- Search for AWS VPC Flow Log data within the last 30 days.Use the Network Activity Data search method and filter by productCode: vpc.
- Select an example activity and copy one of the following fields:
-
src: source IP address -
dst: destination IP address -
pktSrcAddr: packet source address -
pktDstAddr: packet destination address
-
- Use the report template to create a custom demo template.In the demo template, replace the values for the following attributes under
"objects":-
"name": replace"${name}"with a recognizable name.For example, "name": "VPC Flow Log Test" -
"id": replace"${report_id}"with a report name containing a GUID.For example, "id": "report--a763cbf4-3562-456e-a319-ef94e33ead72" -
"pattern": replace"${pattern}"with the search value.This is the IPv4 address value you copied from the search results in the previous step with the format"[ipv4-addr:value = 'x.x.x.x']". For example, if the destination IP address is8.8.8.8, specify the attribute:value set as "pattern": "[ipv4-addr:value = '8.8.8.8']"
Use following code to create the demo template. The demo template is a STIX file written in JSON format.{ "type": "bundle", "id": "bundle--f084b7bb-cec2-4547-b9af-2076359b8647", "objects": [ { "created_by_ref": "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5", "name": "${name}", "published": "2022-09-09T07:21:23.921Z", "modified": "2022-09-09T07:21:23.921Z", "report_types": [ "indicator" ], "object_refs": [ "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5", "indicator--491094c9-3245-48b4-9f2e-f53aae86c767" ], "type": "report", "id": "${report_id}", "created": "2022-09-09T07:21:23.921Z", "spec_version": "2.1" }, { "type": "identity", "id": "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5", "created": "2022-09-09T07:21:23.921Z", "modified": "2022-09-09T07:21:23.921Z", "spec_version": "2.1" }, { "valid_from": "2022-09-09 07:21:10", "created_by_ref": "identity--a9cbc950-6454-4e73-ab75-b2a16c76adc5", "created": "2022-09-09T07:21:23.921Z", "pattern": "${pattern}", "pattern_type": "stix", "labels": [ "malicious-activity" ], "modified": "2022-09-09T07:21:23.921Z", "type": "indicator", "id": "indicator--491094c9-3245-48b4-9f2e-f53aae86c767", "spec_version": "2.1", "description": "" } ] }For best results, save the file as {report_id}.json including the GUID in the filename. -
- Go to .
- Click Add.
- For Method, select STIX file.
- Click Select File... and locate the demo template file you created.
- Click Submit.
- Locate the custom report you created and click the options icon (
). - Select Start Sweeping to run the report.If configured correctly, a matched sweep appears with a linked Workbench alert. Click the link to view the alert in the Workbench app.