Security Analyst Diaries #2: Detect-alert-respond, context is key everywhere in security operations.

  • Enhance fidelity of alerting: Enabling analysts and detection engineers to filter out entire clusters of threats that may be expected or represent little-to-no danger to the enterprise (e.g. malware testing in a sandbox environment, vulnerabilities and anomalous activity in a development network with no sensitive data or access, and more). This reduces the need for post-detection enrichment which can add latency and increase MTTR for a given alert.
  • Prioritize threats with risk scoring: Making relevant context available for heuristic-driven contextual risk scoring of detections at detection execution time rather than at the human triage stage.
  • Respond to alerts faster: Enables them to respond to alerts faster by giving them a graphically integrated and interactive way to view context information from inside the alerts page. This includes information around IT security systems (e.g. EDR consoles, firewall/proxy logs, CMDB and IAM context, and vulnerability scan results).

Context is key

  1. Immediately see all contextual information about that entity, from a range of sources, directly in the UDM event itself
  2. Search and detect upon values in the UDM event that would not otherwise be present in the original log
metadata.event_type = “PROCESS_LAUNCH”metadata.product_name = “ACME Unix”metadata.product_log_id “1”principal.user.userid = “bob”metadata.event_type = “EMAIL_TRANSACTION”metadata.product_name = “ACME Email”metadata.product_log_id “2”principal.user.email_addresses = “bob@acme.com”metadata.event_type = “USER_RESOURCE_ACCESS”metadata.product_name = “ACME AD”metadata.product_log_id “3”principal.user.windows_sid = “12345”
metadata.event_type = “USER_LOGIN”Metadata.product_name = “ACME Unix”metadata.product_log_id “4”principal.user.userid = “bob”principal.user.windows_sid = “12345”principal.user.email_addresses = “bob@acme.com”

Say hello to Chronicle entity graph

Privileged command monitoring via Chronicle graph

rule prod_privileged_command_usage {meta:author = “ACME Detection Labs”description = “Detects privileged command activity on production services.”severity = “HIGH”events:$prod.metadata.event_type = “USER_RESOURCE_ACCESS”$prod.metadata.vendor_name = “ACME”$prod.metadata.product_name = “ACME Audit Daemon”$prod.metadata.product_event_type = “Shell Activity”$prod.security_result.action = “ALLOW”$prod.target.process.command_line in %ACME_highly_privileged_commands$prod.principal.user.userid = $usermatch:$user over 15mcondition:$prod}
rule prod_privileged_command_usage {meta:author = “ACME Detection Labs”description = “Detects privileged command activity on production services.”severity = “HIGH”events:$prod.metadata.event_type = “USER_RESOURCE_ACCESS”$prod.metadata.vendor_name = “ACME”$prod.metadata.product_name = “ACME Audit Daemon”$prod.metadata.product_event_type = “Shell Activity”$prod.security_result.action = “ALLOW”$prod.target.process.command_line in %ACME_highly_privileged_commands$prod.principal.user.userid = $user
$context.graph.metadata.vendor_name = “ACME”$context.graph.metadata.product_name = “CMDB”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $user
match:$user over 15mcondition:$prod and $context}

Changing the Outcome, with conditional risk scoring

rule prod_privileged_command_usage {meta:author = “ACME Detection Labs”description = “Detects privileged command activity on production services.”severity = “HIGH”events:$prod.metadata.event_type = “USER_RESOURCE_ACCESS”$prod.metadata.vendor_name = “ACME”$prod.metadata.product_name = “ACME Audit Daemon”$prod.metadata.product_event_type = “Shell Activity”$prod.security_result.action = “ALLOW”$prod.target.process.command_line in %ACME_highly_privileged_commands$prod.principal.user.userid = $user$context.graph.metadata.vendor_name = “ACME”$context.graph.metadata.product_name = “CMDB”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $usermatch: 
$user over 15m
outcome:$risk_score = max(if ( $prod.metadata.product_event_type = “Shell Activity”, 50) +// Privileged commands we wish to monitorif ( $prod.target.file.full_path = “/sbin/acme_sql”, 20) +if ( $prod.target.file.full_path = “/sbin/acme_backend”, 10) +if ( $prod.target.file.full_path = “/sbin/acme_frontend”, 5) +// Monitored users & groups who can have accessif ( $context.graph.entity.user.department = “IT”, 10) +if ( $context.graph.entity.user.department = “SRE”, 5) +// — empty values would denote ACME CMDB is not populating correctly, not expectedif ( $context.graph.entity.user.department = “”, 20) +// Raise Risk for Contractors — not expected behaviorif ( $context.graph.entity.user.title = /contractor/ nocase , 20))condition:$prod and $context}
{“type”: “RULE_DETECTION”,“detection”: [{“ruleName”: “prod_privileged_command_usage”,“urlBackToProduct”: “https://cmmartin2.backstory.chronicle.security/ruleDetections?ruleId=ru_f05de1cc-6c25-44b5-9a7d-cb9169f46a67&selectedList=RuleDetectionsViewTimeline&selectedDetectionId=de_03ff5dd8-0c48-3a4b-d46a-e3339cb6a9db&selectedTimestamp=2022-01-29T22:07:30Z&versionTimestamp=2022-01-31T09:15:57.839791Z",“ruleId”: “ru_f05de1cc-6c25–44b5–9a7d-cb9169f46a67”,“ruleVersion”: “ru_f05de1cc-6c25–44b5–9a7d-cb9169f46a67@v_1643620557_839791000”,“alertState”: “ALERTING”,“ruleType”: “MULTI_EVENT”,“detectionFields”: [{“key”: “user”,“value”: “elsa”}],“ruleLabels”: [{“key”: “author”,“value”: “ACME Detection Labs”},{“key”: “description”,“value”: “Detects privileged command activity on production services. Detections with a Risk Score of above 80 *will* raise a p1 ticket.”},{“key”: “severity”,“value”: “HIGH”}],“outcomes”: [{“key”: “risk_score”,“value”: “100”}]}],“createdTime”: “2022–01–31T09:16:55.671501Z”,“id”: “de_03ff5dd8–0c48–3a4b-d46a-e3339cb6a9db”,“timeWindow”: {“startTime”: “2022–01–29T21:52:30Z”,“endTime”: “2022–01–29T22:07:30Z”},“collectionElements”: [{“references”: [{“event”: {“metadata”: {“eventTimestamp”: “2022–01–29T22:06:53.004150Z”,“eventType”: “USER_RESOURCE_ACCESS”,“vendorName”: “ACME”,“productName”: “ACME Audit Daemon”,“productEventType”: “Shell Activity”,“ingestedTimestamp”: “2022–01–29T22:06:54.011801Z”},“principal”: {“user”: {“userid”: “elsa”,“userDisplayName”: “Elsa”,“windowsSid”: “S-1–5–21–1180699209–877415012–3182924384–6127”,“emailAddresses”: [“elsa@ext.example.com”],“productObjectId”: “6127”,“firstName”: “elsa”,“phoneNumbers”: [“+1 415 555 6127”],“groupIdentifiers”: [“it@acme.com”],“title”: “IT Support [Contractor]”,“department”: [“IT”],“managers”: [{“userDisplayName”: “Jamon”,“emailAddresses”: [“ham@example.com”],“productObjectId”: “1488”}]},“ip”: [“10.10.3.16”],“namespace”: “production”},“target”: {“process”: {“pid”: “1748”,“commandLine”: “acme_sql \”select * from db.production\” > db.bak”},“ip”: [“172.20.5.10”],“file”: {“fullPath”: “/sbin/acme_sql”},“resource”: {“name”: “[172.20.5.10]:/sbin/acme_sql”}},“securityResult”: [{“summary”: “Success”,“action”: [“ALLOW”]}]}}],“label”: “prod”},{“references”: [{“entity”: {“metadata”: {“collectedTimestamp”: “2022–01–29T18:34:47.979140Z”,“vendorName”: “ACME”,“productName”: “CMDB”,“entityType”: “USER”,“interval”: {“startTime”: “2022–01–29T18:34:47.979140Z”,“endTime”: “2022–01–29T23:59:59Z”}},“entity”: {“user”: {“userid”: “elsa”,“userDisplayName”: “Elsa”,“windowsSid”: “S-1–5–21–1180699209–877415012–3182924384–6127”,“emailAddresses”: [“elsa@ext.example.com”],“productObjectId”: “6127”,“firstName”: “elsa”,“phoneNumbers”: [“+1 415 555 6127”],“groupIdentifiers”: [“it@acme.com”],“title”: “IT Support [Contractor]”,“department”: [“IT”],“managers”: [{“userDisplayName”: “Jamon”,“emailAddresses”: [“ham@example.com”],“productObjectId”: “1488”}]},“location”: {“city”: “Brussels”}},“relations”: [{“entity”: {“asset”: {“hostname”: “Elsa-laptop”,“assetId”: “Elsa-6127”,“ip”: [“10.10.3.16”],“mac”: [“dd:ee:ff:33:22:11”],“category”: “LAPTOP”,“networkDomain”: “ext.acme.com”,“deploymentStatus”: “ACTIVE”}},“entityType”: “ASSET”,“relationship”: “OWNS”}]}}],“label”: “context”}],“detectionTime”: “2022–01–29T22:07:30Z”}
  • Monitor for highly privileged commands on production systems, leveraging CMDB data to ensure we have accurate monitoring of required assets
  • Receive fully enriched alerts including the Asset’s info from the CMDB, and no need to perform secondary or tertiary lookups

Improving the Joiners, Movers, and Leavers process with Chronicle graph

  • Hire and Termination dates
  • Time off
  • Department, Location, Employee IDs
  • Active Status
metadata.collected_timestamp = “2022–01–29T21:20:32.956874Z”metadata.vendor_name = “ACME”metadata.product_name = “CMDB”metadata.entity_type = “USER”entity.user.userid = “jamon”entity.user.user_display_name = “Jamon”entity.user.windows_sid = “S-1–5–21–1180699209–877415012–3182924384–1488”entity.user.email_addresses = “jamon@acme.com”entity.user.product_object_id = “1488”entity.user.first_name = “jamon”entity.user.phone_numbers = “+123 415 555 1488”entity.user.group_identifiers = “execs@acme.com”entity.user.title = “Chief Chaos Officer”entity.user.department = “Chief Chaos Officer”entity.user.managers.user_display_name = “Ping”entity.user.managers.email_addresses = “ping@acme.com”entity.user.managers.product_object_id = “7327”entity.user.time_off.interval.start_time = “2022–01–24T21:20:32Z”entity.user.time_off.interval.end_time = “2022–02–03T21:20:32Z”entity.user.time_off.description = “Annual Leave. 10 Days.”entity.location.city = “Amsterdam”relations.entity.asset.hostname = “Jamon-laptop”relations.entity.asset.asset_id = “Jamon-1488”relations.entity.asset.ip = “10.1.2.15”relations.entity.asset.mac = “aa:bb:cc:22:22:22”relations.entity.asset.category = “LAPTOP”relations.entity.asset.network_domain = “acme.com”relations.entity.asset.deployment_status = “ACTIVE”relations.entity_type = “ASSET”relations.relationship = “OWNS”
rule prod_auth_activity_while_on_leave {meta:author = “ACME Detection Labs”description = “Detects auth activity for users reported on annual leave.”severity = “INFORMATIONAL”events:$auth.metadata.event_type = “USER_LOGIN”$auth.metadata.vendor_name = “ACME”$auth.metadata.product_name = “Acme SSO”$auth.security_result.action = “ALLOW”$auth.target.user.userid = $userid// login event should be after holiday start interval$auth.metadata.event_timestamp.seconds >$context.graph.entity.user.time_off.interval.start_time.seconds// and login event should be before holiday end interval$auth.metadata.event_timestamp.seconds <$context.graph.entity.user.time_off.interval.end_time.seconds$context.graph.metadata.vendor_name = “ACME”$context.graph.metadata.product_name = “CMDB”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $useridmatch:$userid over 15moutcome:$risk_score = max(if ( $auth.metadata.event_type = “USER_LOGIN”, 10) +// Monitor audited and/or high risk groupsif ($context.graph.entity.user.department = “Chief Chaos Officer” or$context.graph.entity.user.department = “Office of the Chief Executive Doogler”, 25))condition:$auth and $context}
metadata.collected_timestamp = “2022–01–25T20:04:26.483053Z”metadata.vendor_name = “Microsoft”metadata.product_name = “Azure Active Directory”metadata.entity_type = “USER”entity.user.userid = “dave”entity.user.user_display_name = “dave left”entity.user.windows_sid = “S-1–5–21–2621619321–00000000002542681321–32132”entity.user.email_addresses = “dave@example.com”entity.user.product_object_id = “daveleft”entity.user.first_name = “dave”entity.user.last_name = “left”entity.user.phone_numbers = “+1 222 321 321”entity.user.title = “Remote”entity.user.hire_date = “2020–01–01T00:00:00Z”entity.user.termination_date = “2022–01–01T00:00:00Z”
rule entity_graph_left_user_auth {meta:author = “Chronicle Security”description = “Detects employees that are reported as having left the organization authenticating to a corporate resource.”severity = “HIGH”events:$auth.metadata.event_type = “USER_LOGIN”$auth.metadata.vendor_name = “Acme”$auth.metadata.product_name = “Acme SSO”$auth.target.user.userid = $user$auth.metadata.event_timestamp.seconds >$context.graph.entity.user.termination_date.seconds$context.graph.metadata.vendor_name = “Microsoft”$context.graph.metadata.product_name = “Azure Active Directory”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $usermatch:$user over 15moutcome:$risk_score = max(if ( $auth.metadata.event_type = “USER_LOGIN”, 50) +if ($context.graph.entity.user.title = “Remote” nocase or$context.graph.entity.user.title = “Temp” nocase or$context.graph.entity.user.title = “Vendor” nocase, 40) +if ( $context.graph.entity.user.title = “Legal” nocase, 10))condition:$auth and $context}

IOC matching natively via UDM

  1. Native IOC matching for IP or Domain indicators
  2. Using Chronicle YARA-L rules with Reference Lists
  1. Using our pre-built Chronicle integrations
  2. A custom CBN parser
  3. Using the Chronicle Ingestion API
metadata.product_entity_id = “41f302b2-a5dc-411a-a339–29fe8366b46b”metadata.collected_timestamp = “2022–02–06T22:07:36.724075Z”metadata.vendor_name = “ACME Threat Co”metadata.product_name = “ACME Intel”metadata.entity_type = “IP_ADDRESS”metadata.interval.start_time = “2022–02–06T22:07:36.724093Z”metadata.interval.end_time = “9999–12–31T23:59:59Z”metadata.threat.category_details = “C2”metadata.threat.url_back_to_product = “https://tc.acme.com/db/ioc?ba949e99-06bc-411a-a76a-e6314838f074"metadata.threat.threat_id = “ba949e99–06bc-411a-a76a-e6314838f074”metadata.threat.threat_feed_name = “ACME-IOC-IP-C2”entity.ip = “172.217.169.42”
rule prod_ioc_ip_from_dns_query_match {meta:author = “ACME”description = “Match ACME Threat Co IOCs against DNS query (IP) responses.”severity = “MEDIUM”events:// DNS event data$dns.metadata.event_type = “NETWORK_DNS”$dns.metadata.vendor_name = “ACME”$dns.metadata.product_name = “DNS”$dns.metadata.product_event_type = “query”$dns.principal.ip = $asset_ip$dns.network.dns.answers.data = $ip// only match IOCs during active duration$dns.metadata.event_timestamp.seconds >$ioc.graph.metadata.interval.start_time.seconds$dns.metadata.event_timestamp.seconds <$ioc.graph.metadata.interval.end_time.seconds// IOC Asset Entity$ioc.graph.metadata.vendor_name = “ACME Threat Co”$ioc.graph.metadata.product_name = “ACME Intel”$ioc.graph.metadata.entity_type = “IP_ADDRESS”$ioc.graph.entity.ip = $ip// Corp Asset Entity$corp_asset.graph.metadata.vendor_name = “ACME”$corp_asset.graph.metadata.product_name = “CMDB”$corp_asset.graph.metadata.entity_type = “ASSET”$corp_asset.graph.entity.asset.ip = $asset_ipmatch:$ip, $asset_ip over 15mcondition:$dns and $ioc and $corp_asset}

Merging Vulnerability context with Asset context

metadata.collected_timestamp = “2022–02–08T12:37:24.769286Z”metadata.vendor_name = “ACME”metadata.product_name = “CMDB”metadata.entity_type = “ASSET”entity.resource.attribute.labels.key = “sensitivity”entity.resource.attribute.labels.value = “Confidential”entity.asset.product_object_id = “prd-srv-02–7711”entity.asset.hostname = “prd-srv-02”entity.asset.ip = “172.21.2.5”entity.asset.mac = “aa:bb:cc:77:11:22”entity.asset.location.name = “ben-prd-dc-02”entity.asset.category = “SERVER”entity.asset.network_domain = “prod.acme.com”entity.asset.deployment_status = “ACTIVE”entity.asset.vulnerabilities.description = “ACME CVE-1781–1234: Backend Service Buffer Overflow”entity.asset.vulnerabilities.last_found = “2022–02–08T12:37:24.769311Z”entity.asset.vulnerabilities.severity = “HIGH”entity.asset.vulnerabilities.cvss_base_score = 8entity.asset.vulnerabilities.vendor = “ACME Vuln Scanner”entity.asset.vulnerabilities.cve_id = “CVE-1781–1234”entity.asset.vulnerabilities.description = “ACME CVE-1781–5678: Frontend Service Out of date library”entity.asset.vulnerabilities.last_found = “2022–02–08T12:37:24.769316Z”entity.asset.vulnerabilities.severity = “MEDIUM”entity.asset.vulnerabilities.cvss_base_score = 6entity.asset.vulnerabilities.vendor = “ACME Vuln Scanner”entity.asset.vulnerabilities.cve_id = “CVE-1781–5678”
rule prod_alert_on_assets_with_critical_vulns_max {meta:author = “ACME Labs”description = “Detects alerts against assets with active vulns as reported by ACME Vuln Scanner.”severity = “HIGH”events:$alert.metadata.event_type = “SCAN_HOST”$alert.metadata.vendor_name = “ACME”$alert.metadata.product_name = “Endpoint Protection”$alert.principal.ip = $ip$vuln.graph.metadata.vendor_name = “ACME”$vuln.graph.metadata.product_name = “CMDB”$vuln.graph.metadata.entity_type = “ASSET”$vuln.graph.entity.asset.deployment_status = “ACTIVE”$vuln.graph.entity.asset.category = “SERVER”$vuln.graph.entity.asset.ip = $ipmatch:$ip over 15moutcome:$risk_score = max(// CVE Score adjustmentsif ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 1, 10) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 2, 20) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 3, 30) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 4, 40) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 5, 50) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 6, 60) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 7, 70) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 8, 80) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 9, 90) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 10, 100))condition:$alert and $vuln}

Summary

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

What is the difference between a STIX Domain and STIX Cyber-Observable Objects?

Powering Security Operations with context-aware detections, alert prioritization and risk scoring…

Top-Down or Bottom-up approach? Which one should I follow?

It’s Not You! Windows Security Logs Don’t Make Sense