G
G
Gudsaf2018-12-18 23:07:54
Information Security
Gudsaf, 2018-12-18 23:07:54

Where can I see examples of correlation rules (use cases) for SIEM?

Are there any forums or platforms where correlation rules/ideas for SIEM correlation rules are posted?
It is possible not the correlation rules themselves, but, for example, their verbal form: it is clear that the implementation of the rule will depend on the context, but the essence will remain.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Alister O, 2018-12-25
@Gudsaf

to start:
Events of Interest
User Authentication Rules and Alerts
1. Repeat Attack-Login Source
Goal: Early warning for brute force attacks, password guessing, and misconfigured applications.
Trigger: Alert on 3 or more failed logins in 1 minute from a single host.
Event Sources: Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications
2. Repeat Attack-Login Target
Goal: Early warning for brute force attacks, password guessing, and misconfigured applications.
Trigger: Alert on 3 or more failed logins in 1 minute on a single user ID
Event Sources: Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications.
Attacks Detected on the Network
3. Repeat Attack-Firewall
Goal: Early warning for scans, worm propagation, etc
Trigger: Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute.
Event Sources: Firewalls, Routers and Switches
4. Repeat Attack-Network Intrusion Prevention System
Goal: Early warning for scans, worm propagation, etc
Trigger: Alert on 7 or more IDS Alerts from a single IP Address in one minute.
Event Sources: Network Intrusion Detection and Prevention Devices
Attacks and Infections Detected at the Host Level
5. Repeat Attack-Host Intrusion Prevention System
Goal: Find hosts that may be infected or compromised (exhibiting infection behaviors).
Trigger: Alert on 3 or more events from a single IP Address in 10 minutes
Event Sources: Host Intrusion Prevention System Alerts
Virus Detection/Removal
6. Virus or Spyware Detected
Goal: Alert when a virus, spyware or other malware is detected on a host.
Trigger: Alert when a single host sees an identifiable piece of malware
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
7. Virus or Spyware Removed
Goal: Reduce alerts and warnings, if after detection, anti-virus tools are able to remove a known piece of malware.
Trigger: Alert when a single host successfully removes a piece of malware
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
8. Virus or Spyware Detected but Failed to Clean
Goal: Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed.
Trigger: Alert when a single host fails to auto-clean malware within 1 hour of detection.
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
Attacks from Unknown/Untrusted Sources
The use of periodic automatically updated lists of known attackers and malware sources applied to these correlations is highly preferred.
9. Repeat Attack-Foreign
Goal: Identify remote attackers before they make it into the network. Identify "back scatter" pointing to attacks that may have not been detected by other sources.
Secondary Goal: This rule also identifies new networks with active hosts that have been added to the internal network, but not reported or configured within the SIEM and/or other security tools.
Trigger: Alert on 10 or more failed events from a single IP Address that is not part of the known internal network.
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events
10. Known Attacker Allowed in Network
Goal: Identify allowed traffic form known "Black listed" sources. If the source is known to be a source of malware or an attack, identify and alert if that source is every allowed into the network,
while conversely filtering out/ignoring "drop/reject/deny" events from these sources when our defenses properly block the traffic.
Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), events from an IP Address that is not part of the known network and is known to have/use malware.
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events
11. Traffic to Known Attacker
Goal: Identify traffic from an internal address to known "black listed" destination is known to be a source of malware or an attack, identify and alert if traffic is ever allowed to that destination, or if repeat attempts (>5) are detected even when the traffic is blocked. This may indicate an infected host trying to call home.
Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), event to an IP Address that is not part of the known network and is known to have/use malware.
Alternate Trigger: Alert on 5 or more drops from an internal source to any known attacker, or 1 Accept/Allow.
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events.
High Threat
12. High Threat Targeting Vulnerable Asset
Goal: Identify threats in real time that are likely to compromise a host. Vulnerability data has shown the host to be vulnerable to the inbound attack being detected by NIPS.
Trigger: Any event from a single IP Address targeting a host known to be vulnerable to the attack that`s inbound.
Event Sources: NIPS events, Vulnerability Assessment data
13. Repeat Attack-Multiple Detection Sources
Goal: Find hosts that may be infected or compromised detected by multiple sources (high probability of true threat).
Trigger: Alert on ANY second threat type detected from a single IP Address by a second source after seeing a repeat attack. (i.e. Repeat Firewall Drop, followed by Virus Detected)
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events.
14. Possible Outbreak - Excessive Connections
Goal: Find hosts that may be infected or compromised by watching for a host to connect to a large number of destinations.
Trigger: Alert when a single host connects to 100 or more unique targets in 1 minute (must apply white lists for known servers to avoid false positives, and destination port !=80).
Event Sources: Firewall, NIPS, Flow Data, and Web Content Filters.
15. Possible Outbreak - Multiple Infected Hosts Detected on the Same Subnet
Goal: Alert on the detection of malware before it spreads beyond a limited number of hosts.
Trigger: Alert when 5 or more hosts on the same subnet trigger the same Malware Signature (AV or IDS) within a 1 hour interval.
Event Sources: Anti-Virus, HIPS, NIPS.
Web Servers (IIS, Apache)
16. Suspicious Post from Untrusted Source
Goal: Alert when dangerous content (executable code) is posted to a web server.
Trigger: Files with executable extensions (cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat), are posted to a web server (internal/dmz address), from an external source
Event Sources: Internet Information Server and Apache Logs
Monitored Log Sources
17. Monitored Log Source Stopped Sending Events
Goal: Alert when a monitored log source has not sent an event in 1 Hour (variable time based on the device).
Trigger: Log collection device must create an event periodically to show how many events have been received, and that this number is >0.
Event Sources: Log collection device.

C
cssman, 2018-12-19
@cssman

product forums (vendor, or siem components from open src - something like splunk and analogues)
you may be lucky and find something, I don’t think you will find such a bank of signatures and rules.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question