Suppression & Tuning
Overview
Spyderbat is a powerful security tool that leverages Spydertraces to group security alerts (red flags) into scored traces of activity. This documentation page will guide you through the concepts of trace suppression to tune your Spyderbat environment.
Spydertraces
Spydertraces are groups of security alerts that are scored based on the activity they represent. These traces provide a comprehensive view of potentially suspicious activity within your environment and are viewable on the Spyderbat dashboard. From the dashboard, you can investigate each Spydertrace to determine the nature and severity of the activity.
Alert Suppression
Alert suppression in Spyderbat allows you to mark known Spydertrace activities as acceptable. Suppressing a Spydertrace reduces its score to 0 and prevents future traces that match the same activity from showing up in your Dashboards. This helps in reducing noise and focusing on genuinely suspicious activities.
Trace Suppression Policies are the current tool that enables Spydertrace Suppression. Suppression Policies can be generated automatically using the Spyctl CLI and a valid Spydertrace UID.
Example Suppression Policy:
This example policy will suppress any Spydertraces triggered via a suspicious nc
command with the specific process ancestors of systemd/containerd-shim/sh/python/sh/nc
. Within that scope, the policy then specifies what other flags are allowed to be grouped within the trace.
Should additional flags appear outside of the allowed list, the trace would no longer be suppressed and have a new score based on the severity of any new flags.
After applying suppression policies it may take up to 24 hours for all of the suppressed Spydertraces to disappear from your dashboard. To circumvent this, you can adjust the dashboard to show results from the last hour.
Methods of Suppression
There are currently two methods to suppress Spydertraces in Spyderbat:
Hybrid Web Console/Spyctl CLI Approach
CLI-Based Approach
With either approach, as soon as you implement the suppression policy, active traces matching the policy scope will become suppressed and any new traces within the scope of the policy's selectors will be immediately suppressed.
1. Hybrid Web Console/Spyctl CLI Approach
In this approach, you use both the Spyderbat web console and the spyctl CLI to suppress Spydertraces. Follow these steps:
Select a Spydertrace: Navigate to the Spyderbat dashboard and select the Spydertrace you want to investigate.
Investigate the Trace: Investigate the selected Spydertrace to understand its activity.
Grab the Trace UID: Note the unique identifier (UID) of the Spydertrace.
Suppress the Trace: Open your terminal and run the following command in the
spyctl
CLI:Replace TRACE_UID with the actual UID of the Spydertrace you want to suppress.
For example:
2. CLI-Based Approach
In the CLI-based approach, you use only the spyctl CLI to manage Spydertraces. Follow these steps:
View Spydertraces: Run the following command to get a summarized list of Spydertraces with a score above 50, including a link back to the dashboard:
Spydertraces in this output are grouped by similar activity and where they occur within the process tree.
Grab a UID: From the summarized list, note the UID of the Spydertrace you want to suppress.
Suppress the Trace: Run the following command in the spyctl CLI:
Replace TRACE_UID with the actual UID of the Spydertrace you want to suppress.
Summary
Spydertraces: Grouped security alerts scored based on activity, viewable on the Spyderbat dashboard.
Suppression: Marking known Spydertrace activities as acceptable, reducing their score to 0, and preventing future alerts for matching activities.
Methods of Suppression:
Hybrid Web Console/Spyctl CLI Approach: Investigate traces on the dashboard and suppress using the spyctl CLI.
CLI-Based Approach: Use spyctl CLI commands to view and suppress Spydertraces.
By using these methods, you can efficiently manage and tune your Spydertrace dashboards, ensuring that your focus remains on truly suspicious activities.
Last updated