Fine-tune Event Detection
Fine-tuning correlation rules takes into account the ongoing changes in your IT environment.
Security Correlation Rule System
SMA's Correlation Rule Engine comes with a correlation rule system right out of the box.
Category | Description |
Account | Account rules identify account management related threats |
Authentication | Authentication rules are related to authentication activities |
Availability | Availability rules identify availability stature of applications, hosts and devices |
Data | Data rules identify data and metadata related threats |
Endpoint | Endpoint rules identify threats against endpoints |
Network | Network rules are related to network activities |
Account
Account rules identify account management related threats.
-
LocalAccountCreation: An account creation event is detected on an endpoint.
-
MultipleAccountCreation: Multiple (3 or more) accounts are created by the same user within a 5–minute interval.
-
MultipleAccountModification: Multiple (3 or more) accounts are modified within a 5–minute interval.
Authentication
Authentication rules are related to authentication activities.
-
BruteForceAttack: Five or more failed login events are followed by a successful login on the same endpoint, associated with the same user account, within 60 seconds.
- BruteForceAttackLinux: 5 or more failed login events are followed by a successful login on the same Linux host, associated with the same user account, within an interval of 60 seconds.
-
DefaultAccountLogin: Login event associated with a default account is detected. This rule only applies to Oracle Database events.
-
DirectRootLogin: A root login event is detected on an endpoint.
-
MultipleFailedLogin: Detects multiple failed login events on 5 or more distinct accounts on the same endpoint within 60 seconds.
-
MultipleFailedSu: Five or more failed su (to root) attempts are are detected on the same endpoint within 180 seconds.
-
MultipleFailedSudo: Five or more failed sudo events initiated by the same account within 180 seconds are detected.
-
SuspiciousSuLogin: Two or more failed su (to root) attempts are followed by a successful su (to root) on the same endpoint within a time interval of 180 seconds.
-
TargetedAccountAttack: 5 or more failed login events associated with the same user account are detected within an interval of 60 seconds across single or multiple endpoints.
-
TargetedAccountAttackLinux: 5 or more failed login events associated with the same user account are detected within an interval of 60 seconds across single or multiple Linux hosts.
Availability
Availability rules identify availability stature of applications, hosts and devices.
-
PlatformInstability: Series of firewall messages that show potential firewall stability issues.
-
TrafficJam: Firewall messages that show new connections aren’t being accepted as the TCP syslog server can’t be reached.
-
TranslationTableFull: Series of firewall messages that show that the translation table is full. Traffic will be dropped. This could be a misconfiguration, capacity issue, or the sign of an attack.
Data
Data rules identify data and metadata related threats.
-
DataDictionaryCopy: Copy operation is detected on certain sensitive data dictionary objects. This rule only applies to Oracle Database events.
-
DataDictionarySynonym: Synonym creation is detected on certain sensitive data dictionary objects. This rule only applies to Oracle Database events.
-
WLSBackdoor: Event that shows the successful upload of known backdoor jsp code.
Endpoint
Endpoint rules identify threats against endpoints.
-
CASBRiskIndicator: Checks for CASB Policy Violations.
Network
Network rules are related to network activities.
-
BrowserCoinMiner: Detects communication to potential sites related to browser hijack for cryptocurrency mining.
-
DeniedZoneTransfer: Possible DNS reconnaissance through an attempt zone transfer.
-
ExternalIPDiscovery: Detects connection attempts to domains that can be used by malware to detect the external IP address of a network for profiling purposes.
-
FirewallADDrop: Series of firewall messages that show traffic being dropped to Microsoft Domain Controllers.
-
FirewallSiemDrop: A series of firewall messages that show traffic being dropped to or from the vulnerability assessment scanners.
-
FirewallVaDrop: A series of firewall messages that show traffic being dropped to or from the vulnerability assessment scanners.
-
HorizontalPortScan: Network communication, originating from the same source IP, is detected on the same port on 10 or more distinct destination IPs within 60 seconds.
-
PingSweep: ICMP messages, originating from the same source IP, are detected on 20 or more destination IPs within 60 seconds.
-
PossibleFirewallRouteIssue: A series of firewall messages that show potential routing issues with the firewall. This can be indicative of misconfiguration, potential attack, or a general network issue.
-
PossibleSynFlood: A series of firewall messages that show potential firewall stability issues.
-
PTRRecon: DNS reconnaissance activity where the DNS client performs 5 distinct reverse record lookups (PTR) in a 30 second window.
-
PunyCodeDomain: Detects international domain names that can't be displayed in ASCII. Domains in languages like Cyrillic, Japanese, or Farsi that require the Punycode algorithm to convert them into ASCII formats that DNS is able to support.
-
SIDScan: SID reconnaissance activity where the client performs five distinct SID connection attempts within 60 seconds.
-
SuspectedAPT: Destination traffic matches any entry in the following watch lists:
omc_apt_ip, omc_apt_domain, omc_apt_url
. -
SuspectedMalware: Destination traffic matches any entry in the following watch lists:
omc_malware_ip, omc_malware_domain, omc_malware_url
. -
SuspectedRansomware: Destination traffic matches any entry in the following watch lists:
omc_ransomware_ip, omc_ransomware_domain, omc_ransomware_url
. -
SuspectedTOR: Detects traffic elements that indicate possible connection attempts to TOR and other anonymization networks.
-
SuspiciousNetworkTraffic: Destination traffic matches any entry in the following watch lists:
omc_suspicious_ip, omc_suspicious_domain, omc_suspicious_url
. -
TooManyConnection: A series of firewall messages the show too many connections to an address translation. This could be a misconfiguration, capacity issue, or a sign of an attack.
-
URLShorteningService: Tags logs where network traffic is attempted to a URL that’s shortened with a known URL shortening service. Triggered when internet traffic to a known URL shortening service is detected.
-
UserAgentNull: Proxy suspicious activity occurred where no User Agent is passed to the proxy. This is atypical behavior and should be investigated. Note: this rule is turned off by default.
-
UserAgentShort: Detects HTTP traffic with a user agent string less than 40 characters.
-
VerticalPortScan: Network communication, originating from the same source IP, is detected on 20 or more distinct ports on the same destination within 60 seconds.
Note:
To fine-tune out-of-the-box correlation rules, see .Tuning Rule Specs by Editing Its Parameters
First action item in event detection is to fine-tune your correlation rules by customizing their rule logic through parameter manipulation. Rule-tuning is essential in order to take into account day-to-day changes in your environment
Task scope:
We use an example, where the user is adjusting the available parameters within the rule to tune it for their network. Where the Minimum Length parameter holds a string-length value that is compared against the associated user agent string
SEF field.
Task results:
-
You tune the UserAgentShort correlation rule by adjusting the Minimum Length parameter value.
-
Security Monitoring and Analytics increments the corresponding version number by one, saves it, and enables it by default.
Putting it in context of a real-world scenario
"Your security team may use a custom user agent string to identify authorized network scanning activity using the following pattern vuln scan soc@example.com ticket:<6 digit incrementing value>. As we can see from the rule specification (see table below), the rule is triggered by user agent strings of less than 40 characters by default. This custom user agent is only 39 characters and would trigger the rule whenever scanning was done, generating false positive events."Table 2-1 Example Details
Item | Details |
---|---|
Out-of-the-Box Correlation Rule: |
UserAgentShort |
Parameterizing attribute: |
Minimum Length |
SEF expression: |
Pattern for UserAgentShort (SYSTEM.SEF as Event) where Event.sefTransportProtocol IN ("http", "https") AND StrLen(Event.sefActorEPProgramName) > 1 AND StrLen(Event.sefActorEPProgramName) < 40 compute ( UserAgentShort.tags = "risk.indicator", –UserAgentShort.riskLevel = 1) |
Rule description in plain English: |
Detects HTTP traffic with a user agent string less than 40 characters. |
Tuning Rule Exceptions by Whitelisting Rule Attributes
To prevent triggering of a correlation rule or detected event, you implement rule exceptions by whitelisting the associated SEF attributes.
-
Attribute — the SEF field the entry is matching against.
-
Format — the type of matching being done (literal, regular expression, and CIDR notation).
-
Values — will contain the items being whitelisted.
Note:
Each whitelist entry can contain up to twenty, comma-separated, unique values.
As part of this task, you perform a whitelisting example where you tune the UserAgentShort rule by whitelisting user agent strings, known to be used on your network for legitimate purposes.
Table 2-2 Required values for this example include:
SEF field | Element Details |
---|---|
sefActorEPProgramName |
Whitelist specific user agents to a more tightly scope than from what’s defined in the rule.
|
sefActorEPNwAddress |
Whitelist network attribute that contain each subnet being filtered out.
|
- From Oracle Management Cloud’s home page, go to Security Monitoring and Analytics, Security Admin, and select Correlation Rules.
- Expand rule set Network and select UserAgentShort.
- To add expression for sefActorEPProgramName, click the Add button, under Whitelists.
- Begin typing sefActorEPProgramName in the Attribute field.
- Select Regular Expression under Format.
- Then enter a regular expression in the Value field, such as ^soc@example.com 555-1212 ticket:[0-9]{6}.
- To add expression for sefActorEPNwAddress, click the Add button once again.
- Begin typing sefActorEPNwAddress in the Attribute field.
- Select CIDR under Format.
- Enter each of the static user agents as comma separated values in the Value field, such as 10.242.0/24, 10.243.0/24, 10.23.100.0/22.
Note:
-
All values are treated as "OR" condition.
-
Maximum whitelists allowed: 5.