improve security visibility with alienvault usm correlation directives
TRANSCRIPT
Agenda
A review of the built-in Correlation Directives from AlienVault Labs
How to write your own correlation directives based on events from one or more sources
How to turn correlation information into actionable alarms
How to use correlations to enforce your security policies
Logical Correlation
New events are generated using the information provided by detectors and monitors.Is configured using correlation directives.New events will have new priority and reliability values.Directives are defined through logical trees, in which the horizontal axis defines an OR operation and the vertical one defines an AND operation.
Correlation level 1
Correlation level 3
1
2a 2b
3b3a 3c 3d
Correlation level 2
Logical Correlation
Directives Examples
Configuration > Threat Intelligence > Directives
Alarms
Alarms are special events that may depend on other events.Alarms require investigation and remediation.
Analysis> Alarms
An overview of alarms per type, frequency, and time.
A list of alarms.
Toggle search. Specify
search filter.
Alarm intent.
Time window.
Select time window and intent.
Search and Filter
Utilize search if interested in specific alarms.Alternatively, click a blue circle to see alarms with a specific intent and within a specific time window.
Sort alarms.
Alarm with OTX feed.
Click alarm to see more information.
Alarm is still being correlated.
Close or delete alarm if false positive.
Alarms List
Pay attention to alarms with OTX data.Sort alarms by risk and examine the high risk alarms first.Alarms that are still being correlated cannot be edited.
Examine source(s) and destination(s).Directive event.
Individual event that triggered directive event.
Click an event to see details.
Read the knowledge base.
Correlation level.
Examine Alarm DetailsExamine details about the alarm.
Normalized event information.
SIEM information.
Read the knowledge base.
Examine the offending packet.
Examine Event Details
Customizing correlation directives
Clone directive. Delete directive.
Edit directive.Disable directive.
Logical Correlation
Logical correlation uses correlation directives to detect attacks.By default, AlienVault USM includes more than 2,100 built-in directives.Users can customize existing directives or create custom ones.Directives can be edited or created in the graphical editor or by editing XML files.
Global Properties
Correlation Directives
<directive id="28012" name="AV Network attack, too many dropped inbound packets from DST_IP" priority="2">
Name of the directive, which becomes the name of the generated event/alertID of the directive:
• All correlation events have 1505 as plugin ID• Event type ID is the ID of the directive• Reserved range for user-defined directives (500,000-
1,000,000)Priority of the directive (impact of this attack in your network):
• All events generated within this directive will have priority set to the global priority value of the correlation directive
Correlation Rules
Correlation Directives (Cont.)
Correlation directives are composed of multiple rules.Rules define conditions to match incoming events.When a condition is met:
• If this is the last level of the directive, then create a new event.
If there are further levels:• Wait for more incoming events. Add
rule.Clone rule.
Delete rule.
Change level of a rule.
Correlation Process
Incoming events are matched by started directives first.If the events do not match started directives, they will be matched against all other directives.Events can be correlated by several directives.Attributes in a rule can be sticky or sticky different.
ServerServers
DST_ PORT STICKY
80
80808080
80ServerServers
DST_ PORT STICKY DIFFERENT
22
23255380
443
Single directive event.
Single directive event.
Example: Denial of Service Attack
Create Custom Correlation Directive
Many connections from a single host (with a bad reputation) may indicate DoS attack attempt.Firewall events (detector data source) can be checked for connections.Monitor data source can be used to verify if the service is still up after a suspected attack.
Correlation level 1
Correlation level 2
Correlation level 3
Correlation level 4
1 ACCEPT event from the firewallPort 139
Source: A
100 ACCEPT events from the firewallPort 139
Source: A
1000 ACCEPT events from the firewall
Port 139Source: A
Is the service still up?
Configuration Tasks
Create Custom Correlation Directive (Cont.)
1. Create a new directive.2. Create a correlation level 1 rule.3. Create a subsequent correlation rule.4. Repeat Task 3 until you configured all correlation rules.5. Restart the server.
Specify directive properties.
Create new Directive.
Task 1: Create New Directive
Create Custom Correlation Directive (Cont.)
Configuration > Threat Intelligence > Directives
Task 2: Create Correlation Level 1 Rule
Create Custom Correlation Directive (Cont.)
Specify rule name and data source plugin and event type ID(s).Only detector data sources can be used in the first correlation level.
Task 2: Create Correlation Level 1 Rule (Cont.)
Create Custom Correlation Directive (Cont.)
Specify source and destination IP address(es).Specify source and destination ports.Optionally include OTX data.Select rule reliability.
Set reliability as absolute or relative value.
Inherit settings from parent rule.
Add child rule.
Task 3: Create Correlation Level 2 Rule
Create Custom Correlation Directive (Cont.)
Process of adding second rule is similar to adding the first one.Option to inherit source and destination IP addresses and ports from a parent rule.
Task 3: Create Correlation Level 2 Rule (Cont.)
Create Custom Correlation Directive (Cont.)
Timeout and occurrence values have to be edited after adding the rule.
Click the value to edit it.
Task 4: Crate Correlation Level 3 Rule
Create Custom Correlation Directive (Cont.)
The process of adding level 3 rule is the same as when adding level 2 rule.Increase reliability of an event when more occurrences are detected.
Task 5: Create Correlation Level 4 Rule
Create Custom Correlation Directive (Cont.)
Add monitor data source plugin to verify if the service is still up.Other steps are the same as in the previous tasks.
Add child rule.
Inherit settings from parent rule.
Task 5: Create Correlation Level 4 Rule (Cont.)
Create Custom Correlation Directive (Cont.)
Timeout and occurrence values have different meanings in monitor rules.
Click the value to edit it.
Task 6: Restart Server
Create Custom Correlation Directive (Cont.)
Changes are applied by restarting the server.Restarting the server stops the correlation process.
Restart server.
Resulting XML File
Create Custom Correlation Directive (Cont.)
<directive id="500003" name="DoS attack to NetBIOS" priority="2"> <rule type="detector" name="Established connections" from="ANY" to=„10.177.76.249" port_from="ANY" port_to="139" from_rep="true" from_rep_min_pri="3" from_rep_min_rel="3" reliability="0" occurrence="1" plugin_id="1636" plugin_sid="106102"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="100" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="1000" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="monitor" name="Service up" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+6" occurrence="1" time_out="1" plugin_id="2008" plugin_sid="2"/> </rules> </rule> </rules> </rule> </rules> </rule></directive>
Best Practices
Create Custom Correlation Directive (Cont.)
Directives should not always generate alarms• Use reasonable priority and reliability values to ease incident
managementUse the existing directives to:
• Learn how directives are configured• Adopt them to your environment and needs
Look for multiple types of events:• Bad authentication types • Discarded packets due to different violations
USM Sizing Examples
Multiple locations with less than 2500 EPS
Enterprise deployment• Many
locations
Logger
Single location with less than 1000 EPS
Customer Sizing Examples
Single location with less than 1000 EPS
Multiple locations with less than 2500 EPS
Enterprise deployment• Many
locations
Logger
888.613.6023
ALIENVAULT.COM
CONTACT US
Weekly Threat Intelligence update summaries are posted in the AlienVault forum here
Hands-on 5-day training classes delivered in-person or “live on-line”
• Email [email protected] for more info
Subscribe to the AlienVault blogs for more info on emerging threats and security best practices