1. Using Oracle Security Monitoring and Analytics
  2. Investigating and Analyzing Threats Based on Correlation Rule

3 Investigating and Analyzing Threats Based on Correlation Rule

With Oracle Security Monitoring and Analytics, you can investigate unusual user activity, and analyze threats and anomalies found throughout your enterprise.

Topics:

Investigate and Analyze Threats in Response to an Alert Notification

You can investigate and analyze threats starting with an alert notification.

For example, you receive an alert notification letting you know that there was a threat, and it was flagged with a risk level of medium. This alert occurred because it exceeded the risk level threshold that you configured in the alert rules. Based on the content of the email, you know general information, such as the threat ID, type of threat (for example, TargetedAccountAttack), severity level, and the time stamp of the occurrence.

Note that you must configure alert rules first. For details, see Create a Security Alert Rule.

Investigating Threats Detected by Correlation Rule

After you receive the alert notification, you want to identify and learn more about the threat details related to the user activity. You want to find out the nature of the threat, the threat category it falls under, how many users were involved, and so on.

  1. In the Threat Details page, copy and paste the threat ID from the email to the ID filter field, and click Apply.

    The Description column in Threat Details table shows the correlation rule that detected this threat. For a full list of correlation rules and their definitions, see Security Correlation Rule System.

    Note that in this example, the threat was detected by the correlation rule TargetedAccountAttack; the category is infiltration; and it’s composed of 8 activities.

  2. To find out if this threat activity was based on one or multiple users, click the item number in the Activities column.
    To help you with your investigation, the Activity Explorer page includes two interactive charts and one table.
  3. To view all the activity events within this threat, use the Activity Timeline chart. To get details about threat events, use the Threat Timeline.
    1. In order to focus on specific sections of the timeline, the Zoom In/Out buttons (toward the left side of the chart) can be used, or the Time Selector can be adjusted to show a more narrow time range.
    2. By default, the Selected Threats button is active. If you want to include all other typical security events during this time range, click the All Activities button.

    You can investigate event activity by selecting the solid circles, grouped by category, in the Activity Timeline chart, and by referring to the Activity Details table for deeper context.

  4. To show Activity Details only for that user, while the Selected Threats button is selected, click any solid circle. Additionally, you can select multiple activity events (solid circles). Click anywhere on the chart. To close the rectangular selection, click again. The table refreshes showing the details that pertain to your selection only. Click anywhere on the graph to deselect activity events.
    Now you know what users were involved, and the type of activity events that make up this threat.

These investigation steps quickly uncovered the following details:

  • Asset finance1.host.oracle.com was affected.

  • A single user was involved.

  • The duration of the threat was approximately 6 seconds.

  • This threat is categorized as infiltration.

  • It was generated because of multiple failed account logins (according to the correlation rule TargetedAccountAttack).

Investigating and Analyzing Users Associated with Threats

After you collect security details about the threat, you can start investigating and analyzing the associated users.

You proceed with your investigation by collecting more security-based details about this group of users. After completing this task, you’ll be able to identify which users are involved and what organizations they belong to, understand their unusual activity patterns and associations with other threats or anomalies, and so on.

It’s assumed that you know (from the notification email):

  • Threat ID

  • Time of occurrence

  1. In the Threat Dashboard page, click the View List button, and copy and paste the threat ID from the email to the ID filter field, and click Apply.
  2. To get a list of the users involved, click the threat ID shown in the Threat Details table.
    To help you with your investigation, the Activity Explorer page includes a table with threat details, enabling you to drill down further.
  3. To see the user details, click a User from the Activity Details table.
  4. From the User Details page, you can get general user information, and you can cycle through its tabs to learn about:

    • Summary — data related to threats and risky assets

    • Threats — associated with this user

    • Assets — affected by threats associated with this user

    • Accounts — that belong to this user, including associated threats per account

    • Roles — assigned to this user

    • Groups — that this user belongs to

  5. To learn details about other users associated with this threat, repeat Step 3.

Isolate Risky Users Associated with Threats

You can analyze user activity by isolating users based on criteria required by your particular investigation or type of analysis.

For example, after receiving a notification email and learning more about the threat detected, you want to find out if this user (or users) is on the Top Risky Users list. Then, you want to gather a list of users based on the organization that contains the most risky users, and, within this organization, generate a list of users (and identify the asset) that were part of the highest threat attack on a single asset.

To quickly find the top 5 risky users, look at the Top Risky Users By Threats tile in the Users dashboard.

The pie chart is made up of slices that represent the top affected user organizations based on the number of risky users. You also learn that the user from the notification email is part of the top risky users by looking at the Top Risky Users by Threats tile.

  1. To start filtering data, click the pie slice that represents the marketing department in the Risky Users By Organization chart.

    The users dashboard updates, and shows data that pertains to the selected user’s organization only.

  2. To see the full list of risky users within the selected organization, click the risky users number in the Risky Users Summary tile. Alternatively, you can click the List View icon, top-right corner under the Time Selector.
    The Users page includes two charts and table:

    • Threats By Top Risky Users histogram — shows threat activity. Bar segments represent activity by each risky user. You can click any segment to apply a filtering layer and have the entire page show data that pertains to the selected user only.

    • Threats By All Risky Users histogram — shows a visual representation of threats. It starts with the selected Risky Users (bar fill-in), and each bar has an outline that represents the other (additional) risky users. Overall, a bar represents the total number of risky users at a given time period.

    • Risky User Summary table — based on your filtering criteria (selected users versus one user). The table includes key information such as:

      • User Name — takes you to the User Details page, where you can get information such as asset and threat associations and a summary of user activity.

      • Threats — takes you to the Threats page, where you can learn about all the threats associated with this user.

  3. To view the data about a particular user, click any bar segment in the Threats By Top Risky Users chart.
    The Threats By Top Risky Users chart now shows more detailed data that pertains to this user only. The Threats By All Risky Users chart highlights the selected user and includes the threat activity from other users.
  4. Go back to the initial group of users, and remove the Filter Term that starts with “User Name=”.
  5. To go back to the dashboard view, click the Graphical View icon, at the top, right corner under the Time Selector.
  6. To view data based on these users and the most risky asset, click the bar with the highest number of threats found in the Top Risky Asset By Threats tile.
    The entire dashboard gets updated, representing data based on your filtering criteria.
  7. Now, you can use the information in the Users Summary tile to:

    • Get asset information such as threat and user associations.

    • See a list of users and conduct further data manipulation.

    • See a list of threats associated with this group of users and the selected asset.

Isolate Assets Associated with Threats

You can investigate asset activity and analyze assets by isolating affected assets.

For example, after receiving a notification email and learning more about the threat detected, you want to find out if these assets are part of the Top Risky Assets list. You also want to gather a list of individual assets based on the asset type that had the highest number of threat attacks, or you want to generate a list of individual threats that made up the highest number of threat attacks on assets grouped by asset type (for example, asset type Linux Servers).

In the Assets dashboard, you can quickly find the top 5 risky assets in the Top Risky Assets By Threats tile.

To start narrowing down on the threat attacks, click the largest pie slice in the Risky Assets By Asset Type chart.

The dashboard refreshes and shows data that pertains to risky assets according to your latest selection.

  1. To start narrowing down on the threat attacks, click the largest pie slice in the Risky Assets By Asset Type chart.

    The dashboard refreshes and shows data that pertains to risky assets according to your latest selection. Now, you can learn the top threat categories distributed among the risky assets within the selected asset type (for example, asset type host). The Threats by Asset Type tile shows the total number of threats associated with the asset type host.

  2. To see the Risky Assets list, you can either select the number from the Assets mini tile, or click the List View icon, top-right under the Time Selector.
  3. To generate a list of threats associated with the largest asset type affected, remove the filter element in the filter bar, and then click the largest pie slice in the Threats By Asset Type chart. Alternately, you can click the Remove icon X icon.
  4. To see the full Threats list for each asset within the selected category, click the threats number in the Risky Asset Summary table.
  5. You can break down your Threats list further by adding the following filtering layers: in the filter field Destination and User, add the asset name and user name (for example, Destination=finance1.host.oracle.com and User=John_Doe@oracle.com ).

    Now, the list only shows threats associated with the specified asset and user.

This is one of many drilldowns that Security Monitoring and Analytics enables you to perform during your security-based investigations. Here, you started analyzing data by filtering data that only pertains to the asset type most affected by threats. You then applied additional threat filters to refine your list based on an asset and user (both within the most affected asset type list). You can continue your investigation and analysis by applying more drilldowns, and gather details, such as what threat associations the asset and the user have in common, and what unusual activity was monitored and logged over a period of time for each, individually.