Improve Security Visibility with AlienVault USM Correlation Directives

Agenda

A review of the built-in Correlation Directives from AlienVault Labs

How to write your own correlation directives based on events from one or more sources

How to turn correlation information into actionable alarms

How to use correlations to enforce your security policies

Logical Correlation

New events are generated using the information provided by detectors and monitors.Is configured using correlation directives.New events will have new priority and reliability values.Directives are defined through logical trees, in which the horizontal axis defines an OR operation and the vertical one defines an AND operation.

Correlation level 1

Correlation level 3

1

2a 2b

3b3a 3c 3d

Correlation level 2

Logical Correlation

Directives Examples

Configuration > Threat Intelligence > Directives

Alarms

Alarms are special events that may depend on other events.Alarms require investigation and remediation.

Analysis> Alarms

An overview of alarms per type, frequency, and time.

A list of alarms.

Toggle search. Specify

search filter.

Alarm intent.

Time window.

Select time window and intent.

Search and Filter

Utilize search if interested in specific alarms.Alternatively, click a blue circle to see alarms with a specific intent and within a specific time window.

Sort alarms.

Alarm with OTX feed.

Click alarm to see more information.

Alarm is still being correlated.

Close or delete alarm if false positive.

Alarms List

Pay attention to alarms with OTX data.Sort alarms by risk and examine the high risk alarms first.Alarms that are still being correlated cannot be edited.

Examine source(s) and destination(s).Directive event.

Individual event that triggered directive event.

Click an event to see details.

Read the knowledge base.

Correlation level.

Examine Alarm DetailsExamine details about the alarm.

Normalized event information.

SIEM information.

Read the knowledge base.

Examine the offending packet.

Examine Event Details

Customizing correlation directives

Clone directive. Delete directive.

Edit directive.Disable directive.

Logical Correlation

Logical correlation uses correlation directives to detect attacks.By default, AlienVault USM includes more than 2,100 built-in directives.Users can customize existing directives or create custom ones.Directives can be edited or created in the graphical editor or by editing XML files.

Global Properties

Correlation Directives

<directive id="28012" name="AV Network attack, too many dropped inbound packets from DST_IP" priority="2">

Name of the directive, which becomes the name of the generated event/alertID of the directive:

• All correlation events have 1505 as plugin ID• Event type ID is the ID of the directive• Reserved range for user-defined directives (500,000-

1,000,000)Priority of the directive (impact of this attack in your network):

• All events generated within this directive will have priority set to the global priority value of the correlation directive

Correlation Rules

Correlation Directives (Cont.)

Correlation directives are composed of multiple rules.Rules define conditions to match incoming events.When a condition is met:

• If this is the last level of the directive, then create a new event.

If there are further levels:• Wait for more incoming events. Add

rule.Clone rule.

Delete rule.

Change level of a rule.

Correlation Process

Incoming events are matched by started directives first.If the events do not match started directives, they will be matched against all other directives.Events can be correlated by several directives.Attributes in a rule can be sticky or sticky different.

ServerServers

DST_ PORT STICKY

80

80808080

80ServerServers

DST_ PORT STICKY DIFFERENT

22

23255380

443

Single directive event.

Single directive event.

Example: Denial of Service Attack

Create Custom Correlation Directive

Many connections from a single host (with a bad reputation) may indicate DoS attack attempt.Firewall events (detector data source) can be checked for connections.Monitor data source can be used to verify if the service is still up after a suspected attack.

Correlation level 1

Correlation level 2

Correlation level 3

Correlation level 4

1 ACCEPT event from the firewallPort 139

Source: A

100 ACCEPT events from the firewallPort 139

Source: A

1000 ACCEPT events from the firewall

Port 139Source: A

Is the service still up?

Configuration Tasks

Create Custom Correlation Directive (Cont.)

1. Create a new directive.2. Create a correlation level 1 rule.3. Create a subsequent correlation rule.4. Repeat Task 3 until you configured all correlation rules.5. Restart the server.

Specify directive properties.

Create new Directive.

Task 1: Create New Directive


Configuration > Threat Intelligence > Directives

Task 2: Create Correlation Level 1 Rule


Specify rule name and data source plugin and event type ID(s).Only detector data sources can be used in the first correlation level.

Task 2: Create Correlation Level 1 Rule (Cont.)


Specify source and destination IP address(es).Specify source and destination ports.Optionally include OTX data.Select rule reliability.

Set reliability as absolute or relative value.

Inherit settings from parent rule.

Add child rule.



Process of adding second rule is similar to adding the first one.Option to inherit source and destination IP addresses and ports from a parent rule.



Timeout and occurrence values have to be edited after adding the rule.

Click the value to edit it.

Task 4: Crate Correlation Level 3 Rule


The process of adding level 3 rule is the same as when adding level 2 rule.Increase reliability of an event when more occurrences are detected.



Add monitor data source plugin to verify if the service is still up.Other steps are the same as in the previous tasks.

Add child rule.

Inherit settings from parent rule.



Timeout and occurrence values have different meanings in monitor rules.

Click the value to edit it.

Task 6: Restart Server


Changes are applied by restarting the server.Restarting the server stops the correlation process.

Restart server.

Resulting XML File


<directive id="500003" name="DoS attack to NetBIOS" priority="2"> <rule type="detector" name="Established connections" from="ANY" to=„10.177.76.249" port_from="ANY" port_to="139" from_rep="true" from_rep_min_pri="3" from_rep_min_rel="3" reliability="0" occurrence="1" plugin_id="1636" plugin_sid="106102"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="100" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="1000" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="monitor" name="Service up" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+6" occurrence="1" time_out="1" plugin_id="2008" plugin_sid="2"/> </rules> </rule> </rules> </rule> </rules> </rule></directive>

Best Practices


Directives should not always generate alarms• Use reasonable priority and reliability values to ease incident

managementUse the existing directives to:

• Learn how directives are configured• Adopt them to your environment and needs

Look for multiple types of events:• Bad authentication types • Discarded packets due to different violations

USM Sizing Examples

Multiple locations with less than 2500 EPS

Enterprise deployment• Many

locations

Logger

Single location with less than 1000 EPS

Customer Sizing Examples

Single location with less than 1000 EPS

Multiple locations with less than 2500 EPS

Enterprise deployment• Many

locations

Logger

888.613.6023

ALIENVAULT.COM

CONTACT US

[email protected]

Weekly Threat Intelligence update summaries are posted in the AlienVault forum here

Hands-on 5-day training classes delivered in-person or “live on-line”

• Email [email protected] for more info

Subscribe to the AlienVault blogs for more info on emerging threats and security best practices

https://www.alienvault.com/forums/categories/alienvault-labs-updates

https://www.alienvault.com/support/classroom-training

mailto:[email protected]

https://www.alienvault.com/blogs

Improve Security Visibility with AlienVault USM Correlation Directives

Documents

Transcript of Improve Security Visibility with AlienVault USM Correlation Directives