Fine-tune Event Detection

Fine-tuning correlation rules takes into account the ongoing changes in your IT environment.

Security Correlation Rule System

SMA's Correlation Rule Engine comes with a correlation rule system right out of the box.

Account

Account rules identify account management related threats.

  1. LocalAccountCreation: An account creation event is detected on an endpoint.

  2. MultipleAccountCreation: Multiple (3 or more) accounts are created by the same user within a 5–minute interval.

  3. MultipleAccountModification: Multiple (3 or more) accounts are modified within a 5–minute interval.

Authentication

Authentication rules are related to authentication activities.

  1. BruteForceAttack: Five or more failed login events are followed by a successful login on the same endpoint, associated with the same user account, within 60 seconds.

  2. BruteForceAttackLinux: 5 or more failed login events are followed by a successful login on the same Linux host, associated with the same user account, within an interval of 60 seconds.
  3. DefaultAccountLogin: Login event associated with a default account is detected. This rule only applies to Oracle Database events.

  4. DirectRootLogin: A root login event is detected on an endpoint.

  5. MultipleFailedLogin: Detects multiple failed login events on 5 or more distinct accounts on the same endpoint within 60 seconds.

  6. MultipleFailedSu: Five or more failed su (to root) attempts are are detected on the same endpoint within 180 seconds.

  7. MultipleFailedSudo: Five or more failed sudo events initiated by the same account within 180 seconds are detected.

  8. SuspiciousSuLogin: Two or more failed su (to root) attempts are followed by a successful su (to root) on the same endpoint within a time interval of 180 seconds.

  9. TargetedAccountAttack: 5 or more failed login events associated with the same user account are detected within an interval of 60 seconds across single or multiple endpoints.

  10. TargetedAccountAttackLinux: 5 or more failed login events associated with the same user account are detected within an interval of 60 seconds across single or multiple Linux hosts.

Availability

Availability rules identify availability stature of applications, hosts and devices.

  1. PlatformInstability: Series of firewall messages that show potential firewall stability issues.

  2. TrafficJam: Firewall messages that show new connections aren’t being accepted as the TCP syslog server can’t be reached.

  3. TranslationTableFull: Series of firewall messages that show that the translation table is full. Traffic will be dropped. This could be a misconfiguration, capacity issue, or the sign of an attack.

Data

Data rules identify data and metadata related threats.

  1. DataDictionaryCopy: Copy operation is detected on certain sensitive data dictionary objects. This rule only applies to Oracle Database events.

  2. DataDictionarySynonym: Synonym creation is detected on certain sensitive data dictionary objects. This rule only applies to Oracle Database events.

  3. WLSBackdoor: Event that shows the successful upload of known backdoor jsp code.

Endpoint

Endpoint rules identify threats against endpoints.

  1. CASBRiskIndicator: Checks for CASB Policy Violations.

Network

Network rules are related to network activities.

  1. BrowserCoinMiner: Detects communication to potential sites related to browser hijack for cryptocurrency mining.

  2. DeniedZoneTransfer: Possible DNS reconnaissance through an attempt zone transfer.

  3. ExternalIPDiscovery: Detects connection attempts to domains that can be used by malware to detect the external IP address of a network for profiling purposes.

  4. FirewallADDrop: Series of firewall messages that show traffic being dropped to Microsoft Domain Controllers.

  5. FirewallSiemDrop: A series of firewall messages that show traffic being dropped to or from the vulnerability assessment scanners.

  6. FirewallVaDrop: A series of firewall messages that show traffic being dropped to or from the vulnerability assessment scanners.

  7. HorizontalPortScan: Network communication, originating from the same source IP, is detected on the same port on 10 or more distinct destination IPs within 60 seconds.

  8. PingSweep: ICMP messages, originating from the same source IP, are detected on 20 or more destination IPs within 60 seconds.

  9. PossibleFirewallRouteIssue: A series of firewall messages that show potential routing issues with the firewall. This can be indicative of misconfiguration, potential attack, or a general network issue.

  10. PossibleSynFlood: A series of firewall messages that show potential firewall stability issues.

  11. PTRRecon: DNS reconnaissance activity where the DNS client performs 5 distinct reverse record lookups (PTR) in a 30 second window.

  12. PunyCodeDomain: Detects international domain names that can't be displayed in ASCII. Domains in languages like Cyrillic, Japanese, or Farsi that require the Punycode algorithm to convert them into ASCII formats that DNS is able to support.

  13. SIDScan: SID reconnaissance activity where the client performs five distinct SID connection attempts within 60 seconds.

  14. SuspectedAPT: Destination traffic matches any entry in the following watch lists: omc_apt_ip, omc_apt_domain, omc_apt_url.

  15. SuspectedMalware: Destination traffic matches any entry in the following watch lists: omc_malware_ip, omc_malware_domain, omc_malware_url.

  16. SuspectedRansomware: Destination traffic matches any entry in the following watch lists: omc_ransomware_ip, omc_ransomware_domain, omc_ransomware_url.

  17. SuspectedTOR: Detects traffic elements that indicate possible connection attempts to TOR and other anonymization networks.

  18. SuspiciousNetworkTraffic: Destination traffic matches any entry in the following watch lists: omc_suspicious_ip, omc_suspicious_domain, omc_suspicious_url.

  19. TooManyConnection: A series of firewall messages the show too many connections to an address translation. This could be a misconfiguration, capacity issue, or a sign of an attack.

  20. URLShorteningService: Tags logs where network traffic is attempted to a URL that’s shortened with a known URL shortening service. Triggered when internet traffic to a known URL shortening service is detected.

  21. UserAgentNull: Proxy suspicious activity occurred where no User Agent is passed to the proxy. This is atypical behavior and should be investigated. Note: this rule is turned off by default.

  22. UserAgentShort: Detects HTTP traffic with a user agent string less than 40 characters.

  23. VerticalPortScan: Network communication, originating from the same source IP, is detected on 20 or more distinct ports on the same destination within 60 seconds.

Note:

To fine-tune out-of-the-box correlation rules, see .

Tuning Rule Specs by Editing Its Parameters

First action item in event detection is to fine-tune your correlation rules by customizing their rule logic through parameter manipulation. Rule-tuning is essential in order to take into account day-to-day changes in your environment

Task scope:

We use an example, where the user is adjusting the available parameters within the rule to tune it for their network. Where the Minimum Length parameter holds a string-length value that is compared against the associated user agent string SEF field.

Task results:

  • You tune the UserAgentShort correlation rule by adjusting the Minimum Length parameter value.

  • Security Monitoring and Analytics increments the corresponding version number by one, saves it, and enables it by default.

Putting it in context of a real-world scenario

"Your security team may use a custom user agent string to identify authorized network scanning activity using the following pattern vuln scan soc@company.com ticket:<6 digit incrementing value>. As we can see from the rule specification (see table below), the rule is triggered by user agent strings of less than 40 characters by default. This custom user agent is only 39 characters and would trigger the rule whenever scanning was done, generating false positive events."

Table 2-1 Example Details

Item Details

Out-of-the-Box Correlation Rule:

UserAgentShort

Parameterizing attribute:

Minimum Length

SEF expression:

Pattern for UserAgentShort (SYSTEM.SEF as Event) where Event.sefTransportProtocol IN ("http", "https") AND StrLen(Event.sefActorEPProgramName) > 1 AND StrLen(Event.sefActorEPProgramName) < 40 compute ( UserAgentShort.tags = "risk.indicator", –UserAgentShort.riskLevel = 1)

Rule description in plain English:

Detects HTTP traffic with a user agent string less than 40 characters.
  1. From Oracle Management Cloud’s home page, go to Security Monitoring and Analytics, Security Admin, and select Correlation Rules.
  2. Expand rule set Network and select UserAgentShort.
  3. Under Parameters:
    1. Decrease the Minimum Length to 39.
  4. To keep the new changes, click Update.

    Notice how the description now reflects your new rule specifications.

    SEF expression: Pattern for UserAgentShort (SYSTEM.SEF as Event) where Event.sefTransportProtocol IN ("http", "https") AND StrLen(Event.sefActorEPProgramName) > 1 AND StrLen(Event.sefActorEPProgramName) < 39 compute ( UserAgentShort.tags = "risk.indicator", –UserAgentShort.riskLevel = 1)
    In plain English: Detects HTTP traffic with a user agent string less than 39 characters.

    Note:

    Every time you update a correlation rule, Security Monitoring and Analytics increments the version number and enables the newly updated version by default.

  5. To view or enable previous versions, select the tab Versions right under the correlation rule name.
    1. Select a Version number to view version-specific rule specifications.
    2. Click Enable to activate the current selection.

      Note:

      Only one version is enabled at a time per correlation rule.

Tuning Rule Exceptions by Whitelisting Rule Attributes

To prevent triggering of a correlation rule or detected event, you implement rule exceptions by whitelisting the associated SEF attributes.

Whitelist entries require the following fields:
  • Attribute — the SEF field the entry is matching against.

  • Format — the type of matching being done (literal, regular expression, and CIDR notation).

  • Values — will contain the items being whitelisted.

    Note:

    Each whitelist entry can contain up to twenty, comma-separated, unique values.

As part of this task, you perform a whitelisting example where you tune the UserAgentShort rule by whitelisting user agent strings, known to be used on your network for legitimate purposes.

Table 2-2 Required values for this example include:

SEF field Element Details
sefActorEPProgramName

Whitelist specific user agents to a more tightly scope than from what’s defined in the rule.

  • Add the SEF attribute sefActorEPProgramName with a regular expression.

  • ^soc@company.com 555-1212 ticket:[0-9]{6}

sefActorEPNwAddress

Whitelist network attribute that contain each subnet being filtered out.

  • Add the SEF attribue sefActorEPNwAddress with CIDR notation.

  • 10.242.0/24, 10.243.0/24, 10.23.100.0/22

  1. From Oracle Management Cloud’s home page, go to Security Monitoring and Analytics, Security Admin, and select Correlation Rules.
  2. Expand rule set Network and select UserAgentShort.
  3. To add expression for sefActorEPProgramName, click the Add button, under Whitelists.
    1. Begin typing sefActorEPProgramName in the Attribute field.
    2. Select Regular Expression under Format.
    3. Then enter a regular expression in the Value field, such as ^soc@company.com 555-1212 ticket:[0-9]{6}.
  4. To add expression for sefActorEPNwAddress, click the Add button once again.
    1. Begin typing sefActorEPNwAddress in the Attribute field.
    2. Select CIDR under Format.
    3. Enter each of the static user agents as comma separated values in the Value field, such as 10.242.0/24, 10.243.0/24, 10.23.100.0/22.

Note:

  • All values are treated as "OR" condition.

  • Maximum whitelists allowed: 5.