Security Analyst Diaries #2: Detect-alert-respond, context is key everywhere in security operations.

  • Enhance fidelity of alerting: Enabling analysts and detection engineers to filter out entire clusters of threats that may be expected or represent little-to-no danger to the enterprise (e.g. malware testing in a sandbox environment, vulnerabilities and anomalous activity in a development network with no sensitive data or access, and more). This reduces the need for post-detection enrichment which can add latency and increase MTTR for a given alert.
  • Prioritize threats with risk scoring: Making relevant context available for heuristic-driven contextual risk scoring of detections at detection execution time rather than at the human triage stage.
  • Respond to alerts faster: Enables them to respond to alerts faster by giving them a graphically integrated and interactive way to view context information from inside the alerts page. This includes information around IT security systems (e.g. EDR consoles, firewall/proxy logs, CMDB and IAM context, and vulnerability scan results).

Context is key

Chronicle’s context enrichment consumes asset, group, or user entity data (context enrichment has more supported types) from a customer’s source(s) of truth, such as Azure AD, Okta, Cloud Identity, and Workday, and enriches this data automatically into UDM events. This means that customers can:

  1. Immediately see all contextual information about that entity, from a range of sources, directly in the UDM event itself
  2. Search and detect upon values in the UDM event that would not otherwise be present in the original log
metadata.event_type = “PROCESS_LAUNCH”metadata.product_name = “ACME Unix”metadata.product_log_id “1”principal.user.userid = “bob”metadata.event_type = “EMAIL_TRANSACTION”metadata.product_name = “ACME Email”metadata.product_log_id “2”principal.user.email_addresses = “bob@acme.com”metadata.event_type = “USER_RESOURCE_ACCESS”metadata.product_name = “ACME AD”metadata.product_log_id “3”principal.user.windows_sid = “12345”
metadata.event_type = “USER_LOGIN”Metadata.product_name = “ACME Unix”metadata.product_log_id “4”principal.user.userid = “bob”principal.user.windows_sid = “12345”principal.user.email_addresses = “bob@acme.com”

Say hello to Chronicle entity graph

Chronicle graph is a relational entity graph that can make use of joining UDM event data with context enriched data, and supports relational models too — e.g., entity user X owns entity asset Y that has access to entity resource Z (a database, firewall, storage bucket, etc.)

Privileged command monitoring via Chronicle graph

Take the following YARA-L detection rule that monitors privileged commands on production systems, a single event detection rule, using a reference list:

rule prod_privileged_command_usage {meta:author = “ACME Detection Labs”description = “Detects privileged command activity on production services.”severity = “HIGH”events:$prod.metadata.event_type = “USER_RESOURCE_ACCESS”$prod.metadata.vendor_name = “ACME”$prod.metadata.product_name = “ACME Audit Daemon”$prod.metadata.product_event_type = “Shell Activity”$prod.security_result.action = “ALLOW”$prod.target.process.command_line in %ACME_highly_privileged_commands$prod.principal.user.userid = $usermatch:$user over 15mcondition:$prod}
rule prod_privileged_command_usage {meta:author = “ACME Detection Labs”description = “Detects privileged command activity on production services.”severity = “HIGH”events:$prod.metadata.event_type = “USER_RESOURCE_ACCESS”$prod.metadata.vendor_name = “ACME”$prod.metadata.product_name = “ACME Audit Daemon”$prod.metadata.product_event_type = “Shell Activity”$prod.security_result.action = “ALLOW”$prod.target.process.command_line in %ACME_highly_privileged_commands$prod.principal.user.userid = $user
$context.graph.metadata.vendor_name = “ACME”$context.graph.metadata.product_name = “CMDB”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $user
match:$user over 15mcondition:$prod and $context}

Changing the Outcome, with conditional risk scoring

A new feature with this release is the ability to apply risk scoring to your threat modeling in YARA-L rules.

rule prod_privileged_command_usage {meta:author = “ACME Detection Labs”description = “Detects privileged command activity on production services.”severity = “HIGH”events:$prod.metadata.event_type = “USER_RESOURCE_ACCESS”$prod.metadata.vendor_name = “ACME”$prod.metadata.product_name = “ACME Audit Daemon”$prod.metadata.product_event_type = “Shell Activity”$prod.security_result.action = “ALLOW”$prod.target.process.command_line in %ACME_highly_privileged_commands$prod.principal.user.userid = $user$context.graph.metadata.vendor_name = “ACME”$context.graph.metadata.product_name = “CMDB”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $usermatch: 
$user over 15m
outcome:$risk_score = max(if ( $prod.metadata.product_event_type = “Shell Activity”, 50) +// Privileged commands we wish to monitorif ( $prod.target.file.full_path = “/sbin/acme_sql”, 20) +if ( $prod.target.file.full_path = “/sbin/acme_backend”, 10) +if ( $prod.target.file.full_path = “/sbin/acme_frontend”, 5) +// Monitored users & groups who can have accessif ( $context.graph.entity.user.department = “IT”, 10) +if ( $context.graph.entity.user.department = “SRE”, 5) +// — empty values would denote ACME CMDB is not populating correctly, not expectedif ( $context.graph.entity.user.department = “”, 20) +// Raise Risk for Contractors — not expected behaviorif ( $context.graph.entity.user.title = /contractor/ nocase , 20))condition:$prod and $context}
{“type”: “RULE_DETECTION”,“detection”: [{“ruleName”: “prod_privileged_command_usage”,“urlBackToProduct”: “https://cmmartin2.backstory.chronicle.security/ruleDetections?ruleId=ru_f05de1cc-6c25-44b5-9a7d-cb9169f46a67&selectedList=RuleDetectionsViewTimeline&selectedDetectionId=de_03ff5dd8-0c48-3a4b-d46a-e3339cb6a9db&selectedTimestamp=2022-01-29T22:07:30Z&versionTimestamp=2022-01-31T09:15:57.839791Z",“ruleId”: “ru_f05de1cc-6c25–44b5–9a7d-cb9169f46a67”,“ruleVersion”: “ru_f05de1cc-6c25–44b5–9a7d-cb9169f46a67@v_1643620557_839791000”,“alertState”: “ALERTING”,“ruleType”: “MULTI_EVENT”,“detectionFields”: [{“key”: “user”,“value”: “elsa”}],“ruleLabels”: [{“key”: “author”,“value”: “ACME Detection Labs”},{“key”: “description”,“value”: “Detects privileged command activity on production services. Detections with a Risk Score of above 80 *will* raise a p1 ticket.”},{“key”: “severity”,“value”: “HIGH”}],“outcomes”: [{“key”: “risk_score”,“value”: “100”}]}],“createdTime”: “2022–01–31T09:16:55.671501Z”,“id”: “de_03ff5dd8–0c48–3a4b-d46a-e3339cb6a9db”,“timeWindow”: {“startTime”: “2022–01–29T21:52:30Z”,“endTime”: “2022–01–29T22:07:30Z”},“collectionElements”: [{“references”: [{“event”: {“metadata”: {“eventTimestamp”: “2022–01–29T22:06:53.004150Z”,“eventType”: “USER_RESOURCE_ACCESS”,“vendorName”: “ACME”,“productName”: “ACME Audit Daemon”,“productEventType”: “Shell Activity”,“ingestedTimestamp”: “2022–01–29T22:06:54.011801Z”},“principal”: {“user”: {“userid”: “elsa”,“userDisplayName”: “Elsa”,“windowsSid”: “S-1–5–21–1180699209–877415012–3182924384–6127”,“emailAddresses”: [“elsa@ext.example.com”],“productObjectId”: “6127”,“firstName”: “elsa”,“phoneNumbers”: [“+1 415 555 6127”],“groupIdentifiers”: [“it@acme.com”],“title”: “IT Support [Contractor]”,“department”: [“IT”],“managers”: [{“userDisplayName”: “Jamon”,“emailAddresses”: [“ham@example.com”],“productObjectId”: “1488”}]},“ip”: [“10.10.3.16”],“namespace”: “production”},“target”: {“process”: {“pid”: “1748”,“commandLine”: “acme_sql \”select * from db.production\” > db.bak”},“ip”: [“172.20.5.10”],“file”: {“fullPath”: “/sbin/acme_sql”},“resource”: {“name”: “[172.20.5.10]:/sbin/acme_sql”}},“securityResult”: [{“summary”: “Success”,“action”: [“ALLOW”]}]}}],“label”: “prod”},{“references”: [{“entity”: {“metadata”: {“collectedTimestamp”: “2022–01–29T18:34:47.979140Z”,“vendorName”: “ACME”,“productName”: “CMDB”,“entityType”: “USER”,“interval”: {“startTime”: “2022–01–29T18:34:47.979140Z”,“endTime”: “2022–01–29T23:59:59Z”}},“entity”: {“user”: {“userid”: “elsa”,“userDisplayName”: “Elsa”,“windowsSid”: “S-1–5–21–1180699209–877415012–3182924384–6127”,“emailAddresses”: [“elsa@ext.example.com”],“productObjectId”: “6127”,“firstName”: “elsa”,“phoneNumbers”: [“+1 415 555 6127”],“groupIdentifiers”: [“it@acme.com”],“title”: “IT Support [Contractor]”,“department”: [“IT”],“managers”: [{“userDisplayName”: “Jamon”,“emailAddresses”: [“ham@example.com”],“productObjectId”: “1488”}]},“location”: {“city”: “Brussels”}},“relations”: [{“entity”: {“asset”: {“hostname”: “Elsa-laptop”,“assetId”: “Elsa-6127”,“ip”: [“10.10.3.16”],“mac”: [“dd:ee:ff:33:22:11”],“category”: “LAPTOP”,“networkDomain”: “ext.acme.com”,“deploymentStatus”: “ACTIVE”}},“entityType”: “ASSET”,“relationship”: “OWNS”}]}}],“label”: “context”}],“detectionTime”: “2022–01–29T22:07:30Z”}
  • Monitor for highly privileged commands on production systems, leveraging CMDB data to ensure we have accurate monitoring of required assets
  • Receive fully enriched alerts including the Asset’s info from the CMDB, and no need to perform secondary or tertiary lookups

Improving the Joiners, Movers, and Leavers process with Chronicle graph

Chronicle’s UDM supports a wide range of context fields, several of which we can use for common movers, leavers and joiners activities within a company, such as:

  • Hire and Termination dates
  • Time off
  • Department, Location, Employee IDs
  • Active Status
metadata.collected_timestamp = “2022–01–29T21:20:32.956874Z”metadata.vendor_name = “ACME”metadata.product_name = “CMDB”metadata.entity_type = “USER”entity.user.userid = “jamon”entity.user.user_display_name = “Jamon”entity.user.windows_sid = “S-1–5–21–1180699209–877415012–3182924384–1488”entity.user.email_addresses = “jamon@acme.com”entity.user.product_object_id = “1488”entity.user.first_name = “jamon”entity.user.phone_numbers = “+123 415 555 1488”entity.user.group_identifiers = “execs@acme.com”entity.user.title = “Chief Chaos Officer”entity.user.department = “Chief Chaos Officer”entity.user.managers.user_display_name = “Ping”entity.user.managers.email_addresses = “ping@acme.com”entity.user.managers.product_object_id = “7327”entity.user.time_off.interval.start_time = “2022–01–24T21:20:32Z”entity.user.time_off.interval.end_time = “2022–02–03T21:20:32Z”entity.user.time_off.description = “Annual Leave. 10 Days.”entity.location.city = “Amsterdam”relations.entity.asset.hostname = “Jamon-laptop”relations.entity.asset.asset_id = “Jamon-1488”relations.entity.asset.ip = “10.1.2.15”relations.entity.asset.mac = “aa:bb:cc:22:22:22”relations.entity.asset.category = “LAPTOP”relations.entity.asset.network_domain = “acme.com”relations.entity.asset.deployment_status = “ACTIVE”relations.entity_type = “ASSET”relations.relationship = “OWNS”
rule prod_auth_activity_while_on_leave {meta:author = “ACME Detection Labs”description = “Detects auth activity for users reported on annual leave.”severity = “INFORMATIONAL”events:$auth.metadata.event_type = “USER_LOGIN”$auth.metadata.vendor_name = “ACME”$auth.metadata.product_name = “Acme SSO”$auth.security_result.action = “ALLOW”$auth.target.user.userid = $userid// login event should be after holiday start interval$auth.metadata.event_timestamp.seconds >$context.graph.entity.user.time_off.interval.start_time.seconds// and login event should be before holiday end interval$auth.metadata.event_timestamp.seconds <$context.graph.entity.user.time_off.interval.end_time.seconds$context.graph.metadata.vendor_name = “ACME”$context.graph.metadata.product_name = “CMDB”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $useridmatch:$userid over 15moutcome:$risk_score = max(if ( $auth.metadata.event_type = “USER_LOGIN”, 10) +// Monitor audited and/or high risk groupsif ($context.graph.entity.user.department = “Chief Chaos Officer” or$context.graph.entity.user.department = “Office of the Chief Executive Doogler”, 25))condition:$auth and $context}
metadata.collected_timestamp = “2022–01–25T20:04:26.483053Z”metadata.vendor_name = “Microsoft”metadata.product_name = “Azure Active Directory”metadata.entity_type = “USER”entity.user.userid = “dave”entity.user.user_display_name = “dave left”entity.user.windows_sid = “S-1–5–21–2621619321–00000000002542681321–32132”entity.user.email_addresses = “dave@example.com”entity.user.product_object_id = “daveleft”entity.user.first_name = “dave”entity.user.last_name = “left”entity.user.phone_numbers = “+1 222 321 321”entity.user.title = “Remote”entity.user.hire_date = “2020–01–01T00:00:00Z”entity.user.termination_date = “2022–01–01T00:00:00Z”
rule entity_graph_left_user_auth {meta:author = “Chronicle Security”description = “Detects employees that are reported as having left the organization authenticating to a corporate resource.”severity = “HIGH”events:$auth.metadata.event_type = “USER_LOGIN”$auth.metadata.vendor_name = “Acme”$auth.metadata.product_name = “Acme SSO”$auth.target.user.userid = $user$auth.metadata.event_timestamp.seconds >$context.graph.entity.user.termination_date.seconds$context.graph.metadata.vendor_name = “Microsoft”$context.graph.metadata.product_name = “Azure Active Directory”$context.graph.metadata.entity_type = “USER”$context.graph.entity.user.userid = $usermatch:$user over 15moutcome:$risk_score = max(if ( $auth.metadata.event_type = “USER_LOGIN”, 50) +if ($context.graph.entity.user.title = “Remote” nocase or$context.graph.entity.user.title = “Temp” nocase or$context.graph.entity.user.title = “Vendor” nocase, 40) +if ( $context.graph.entity.user.title = “Legal” nocase, 10))condition:$auth and $context}

IOC matching natively via UDM

Previously, Chronicle’s IOC matching took place either via our:

  1. Native IOC matching for IP or Domain indicators
  2. Using Chronicle YARA-L rules with Reference Lists
  1. Using our pre-built Chronicle integrations
  2. A custom CBN parser
  3. Using the Chronicle Ingestion API
metadata.product_entity_id = “41f302b2-a5dc-411a-a339–29fe8366b46b”metadata.collected_timestamp = “2022–02–06T22:07:36.724075Z”metadata.vendor_name = “ACME Threat Co”metadata.product_name = “ACME Intel”metadata.entity_type = “IP_ADDRESS”metadata.interval.start_time = “2022–02–06T22:07:36.724093Z”metadata.interval.end_time = “9999–12–31T23:59:59Z”metadata.threat.category_details = “C2”metadata.threat.url_back_to_product = “https://tc.acme.com/db/ioc?ba949e99-06bc-411a-a76a-e6314838f074"metadata.threat.threat_id = “ba949e99–06bc-411a-a76a-e6314838f074”metadata.threat.threat_feed_name = “ACME-IOC-IP-C2”entity.ip = “172.217.169.42”
rule prod_ioc_ip_from_dns_query_match {meta:author = “ACME”description = “Match ACME Threat Co IOCs against DNS query (IP) responses.”severity = “MEDIUM”events:// DNS event data$dns.metadata.event_type = “NETWORK_DNS”$dns.metadata.vendor_name = “ACME”$dns.metadata.product_name = “DNS”$dns.metadata.product_event_type = “query”$dns.principal.ip = $asset_ip$dns.network.dns.answers.data = $ip// only match IOCs during active duration$dns.metadata.event_timestamp.seconds >$ioc.graph.metadata.interval.start_time.seconds$dns.metadata.event_timestamp.seconds <$ioc.graph.metadata.interval.end_time.seconds// IOC Asset Entity$ioc.graph.metadata.vendor_name = “ACME Threat Co”$ioc.graph.metadata.product_name = “ACME Intel”$ioc.graph.metadata.entity_type = “IP_ADDRESS”$ioc.graph.entity.ip = $ip// Corp Asset Entity$corp_asset.graph.metadata.vendor_name = “ACME”$corp_asset.graph.metadata.product_name = “CMDB”$corp_asset.graph.metadata.entity_type = “ASSET”$corp_asset.graph.entity.asset.ip = $asset_ipmatch:$ip, $asset_ip over 15mcondition:$dns and $ioc and $corp_asset}

Merging Vulnerability context with Asset context

The last of our use cases for this release shows how you can combine and leverage your corporate vulnerability data for your assets via detection rules.

metadata.collected_timestamp = “2022–02–08T12:37:24.769286Z”metadata.vendor_name = “ACME”metadata.product_name = “CMDB”metadata.entity_type = “ASSET”entity.resource.attribute.labels.key = “sensitivity”entity.resource.attribute.labels.value = “Confidential”entity.asset.product_object_id = “prd-srv-02–7711”entity.asset.hostname = “prd-srv-02”entity.asset.ip = “172.21.2.5”entity.asset.mac = “aa:bb:cc:77:11:22”entity.asset.location.name = “ben-prd-dc-02”entity.asset.category = “SERVER”entity.asset.network_domain = “prod.acme.com”entity.asset.deployment_status = “ACTIVE”entity.asset.vulnerabilities.description = “ACME CVE-1781–1234: Backend Service Buffer Overflow”entity.asset.vulnerabilities.last_found = “2022–02–08T12:37:24.769311Z”entity.asset.vulnerabilities.severity = “HIGH”entity.asset.vulnerabilities.cvss_base_score = 8entity.asset.vulnerabilities.vendor = “ACME Vuln Scanner”entity.asset.vulnerabilities.cve_id = “CVE-1781–1234”entity.asset.vulnerabilities.description = “ACME CVE-1781–5678: Frontend Service Out of date library”entity.asset.vulnerabilities.last_found = “2022–02–08T12:37:24.769316Z”entity.asset.vulnerabilities.severity = “MEDIUM”entity.asset.vulnerabilities.cvss_base_score = 6entity.asset.vulnerabilities.vendor = “ACME Vuln Scanner”entity.asset.vulnerabilities.cve_id = “CVE-1781–5678”
rule prod_alert_on_assets_with_critical_vulns_max {meta:author = “ACME Labs”description = “Detects alerts against assets with active vulns as reported by ACME Vuln Scanner.”severity = “HIGH”events:$alert.metadata.event_type = “SCAN_HOST”$alert.metadata.vendor_name = “ACME”$alert.metadata.product_name = “Endpoint Protection”$alert.principal.ip = $ip$vuln.graph.metadata.vendor_name = “ACME”$vuln.graph.metadata.product_name = “CMDB”$vuln.graph.metadata.entity_type = “ASSET”$vuln.graph.entity.asset.deployment_status = “ACTIVE”$vuln.graph.entity.asset.category = “SERVER”$vuln.graph.entity.asset.ip = $ipmatch:$ip over 15moutcome:$risk_score = max(// CVE Score adjustmentsif ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 1, 10) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 2, 20) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 3, 30) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 4, 40) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 5, 50) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 6, 60) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 7, 70) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 8, 80) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 9, 90) +if ( $vuln.graph.entity.asset.vulnerabilities.cvss_base_score = 10, 100))condition:$alert and $vuln}

Summary

We covered a lot in this diary entry around our context-aware detections, enabling enrichment, alert prioritization, risk scoring and the entity graph — what it is, and the challenges it’s solving for analysts today. One of the precursors for effective use of Chronicle graph is context aliasing. Make sure your context aliasing sources are all in scope — and working as expected — and focus on threat modeling your business workflows with Chronicle.

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store