Suppression & Tuning

Overview

Spyderbat is a powerful security tool that leverages Spydertraces to group security alerts (red flags) into scored traces of activity. This documentation page will guide you through the concepts of trace suppression to tune your Spyderbat environment.

Spydertraces

Spydertraces are groups of security alerts that are scored based on the activity they represent. These traces provide a comprehensive view of potentially suspicious activity within your environment and are viewable on the Spyderbat dashboard. From the dashboard, you can investigate each Spydertrace to determine the nature and severity of the activity.

Alert Suppression

Alert suppression in Spyderbat allows you to mark known Spydertrace activities as acceptable. Suppressing a Spydertrace reduces its score to 0 and prevents future traces that match the same activity from showing up in your Dashboards. This helps in reducing noise and focusing on genuinely suspicious activities.

Trace Suppression Policies are the current tool that enables Spydertrace Suppression. Suppression Policies can be generated automatically using the Spyctl CLI and a valid Spydertrace UID.

Example Suppression Policy:

apiVersion: spyderbat/v1
kind: SpyderbatPolicy
metadata:
  name: Trace Suppression Policy for systemd/containerd-shim/sh/python/sh/nc
  type: trace
spec:
  traceSelector:
    matchFields:
      triggerAncestors: systemd/containerd-shim/sh/python/sh/nc
      triggerClass: redflag/proc/command/high_severity/suspicious/nc
  enabled: true
  mode: enforce
  allowedFlags:
  - class: redflag/proc/tmp_exec/high_severity/nc
  - class: redflag/proc/command/high_severity/suspicious/nc
  - class: redflag/proc/suspicious_crud_command/high_severity/cat

This example policy will suppress any Spydertraces triggered via a suspicious nc command with the specific process ancestors of systemd/containerd-shim/sh/python/sh/nc. Within that scope, the policy then specifies what other flags are allowed to be grouped within the trace.

Should additional flags appear outside of the allowed list, the trace would no longer be suppressed and have a new score based on the severity of any new flags.

After applying suppression policies it may take up to 24 hours for all of the suppressed Spydertraces to disappear from your dashboard. To circumvent this, you can adjust the dashboard to show results from the last hour.

Methods of Suppression

There are currently two methods to suppress Spydertraces in Spyderbat:

  1. Hybrid Web Console/Spyctl CLI Approach

  2. CLI-Based Approach

With either approach, as soon as you implement the suppression policy, active traces matching the policy scope will become suppressed and any new traces within the scope of the policy's selectors will be immediately suppressed.

1. Hybrid Web Console/Spyctl CLI Approach

In this approach, you use both the Spyderbat web console and the spyctl CLI to suppress Spydertraces. Follow these steps:

  1. Select a Spydertrace: Navigate to the Spyderbat dashboard and select the Spydertrace you want to investigate.

  2. Investigate the Trace: Investigate the selected Spydertrace to understand its activity.

  3. Grab the Trace UID: Note the unique identifier (UID) of the Spydertrace.

  4. Suppress the Trace: Open your terminal and run the following command in the spyctl CLI:

    spyctl suppress trace TRACE_UID

    Replace TRACE_UID with the actual UID of the Spydertrace you want to suppress.

    For example:

    $ spyctl suppress trace trace:8cu1e46HQUM:AAYW964bTk0:suspicious_command
    apiVersion: spyderbat/v1
    kind: SpyderbatPolicy
    metadata:
    name: Trace Suppression Policy for systemd/containerd-shim/sh/python/sh/nc
    type: trace
    spec:
    traceSelector:
       matchFields:
          triggerAncestors: systemd/containerd-shim/sh/python/sh/nc
          triggerClass: redflag/proc/command/high_severity/suspicious/nc
    enabled: true
    mode: enforce
    allowedFlags:
    - class: redflag/proc/tmp_exec/high_severity/nc
    - class: redflag/proc/command/high_severity/suspicious/nc
    - class: redflag/proc/suspicious_crud_command/high_severity/cat
    
    Suppress spydertraces matching this policy? [Y/n]
    Successfully applied new trace suppression policy with uid: pol:wi6MSOuwenqLT1aHYBhr

2. CLI-Based Approach

In the CLI-based approach, you use only the spyctl CLI to manage Spydertraces. Follow these steps:

  1. View Spydertraces: Run the following command to get a summarized list of Spydertraces with a score above 50, including a link back to the dashboard:

    spyctl get spydertraces --score-above 50 --include-linkback

    Spydertraces in this output are grouped by similar activity and where they occur within the process tree.

  2. Grab a UID: From the summarized list, note the UID of the Spydertrace you want to suppress.

  3. Suppress the Trace: Run the following command in the spyctl CLI:

    spyctl suppress trace TRACE_UID

    Replace TRACE_UID with the actual UID of the Spydertrace you want to suppress.

Summary

  • Spydertraces: Grouped security alerts scored based on activity, viewable on the Spyderbat dashboard.

  • Suppression: Marking known Spydertrace activities as acceptable, reducing their score to 0, and preventing future alerts for matching activities.

  • Methods of Suppression:

    • Hybrid Web Console/Spyctl CLI Approach: Investigate traces on the dashboard and suppress using the spyctl CLI.

    • CLI-Based Approach: Use spyctl CLI commands to view and suppress Spydertraces.

By using these methods, you can efficiently manage and tune your Spydertrace dashboards, ensuring that your focus remains on truly suspicious activities.

Last updated

© SPYDERBAT, Inc., All Rights Reserved