...
Mandatory | Optional |
|---|---|
SecOps Prefix | SecOps Subcategory |
alertPriority | alertMitreTechniques |
alertType | alertMitreTactics |
Entities (at least one) | Enrichments |
...
| Info |
|---|
For more information on each field per specific lookup, see here. |
SecOps will parse this data, based on the kinds of information values SecOps expects, and create all the new data which makes up the application.
Let's walk through the steps we must take to start creating alerts. An alert is just a query active forever, so we have to compound the query that fits with our search needs and put it to work.
The following picture shows the overall SecOps alert creation process.
Alert creation
Let's say we want to analyze the requests made to our web server.
1. Pre-filter
Firstly, we apply filters to obtain the requests where the source IP is not a null value and also that the IP belongs to a public range.
...
| Code Block |
|---|
from web.all.access where ispublic(srcIp) where isnotnull(srcIp) |
Aggregation
Then, we want to group by srcIp with one hour as the grouping period. In this case, we're adding a count operation that we use to filter based on the amount of data grouped.
...
Entity | SecOps Entity |
|---|---|
Hostname | entity_sourceHostname entity_destinationHostname |
Url | entity_sourceUrl entity_destinationUrl |
IP | entity_sourceIP entity_destinationIP |
MAC | entity_sourceMAC entity_destinationMAC |
Name | entity_sourceName entity_destinationName |
Location | entity_sourceLocation entity_destinationLocation |
Domain | entity_sourceDomain entity_destinationDomain |
entity_sourceEmail entity_destinationEmail | |
Account | entity_sourceAccount entity_destinationAccount |
Assign a role to the entity
Next, we need to add following detections using lookups:
...
SecOpsAssetRole follows the terminology used by the SecOps app to populate the Entity Graph with known definitions of class (role) and category (entity type).
The end query will look like this:
...
In our example, we are using just one entity, srcIp, so we create a new field with the entity
| Code Block |
|---|
select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole |
Enrichment using lookups
Using Lookups after aggregation ensures that the new columns created are available in SecOps.
| Info |
|---|
It is necessary to activate server mode in the data search window to be able to use Lookups after grouping. |
For the full list of lookups for enrichment, see the article on Security Operations lookups.
In this example, we will use a lookup to get the position from Umbrella Top 1M domains:
| Code Block |
|---|
select `lu/UmbrellaTop1M/position`(fqdn) as enrichStream_entity_destinationHostname_positionInUmbrellaTop1M |
Filter
At this point, you can add all the logic you want to implement. You can filter by the new field creating from the enrichment part, filter by statistical operations you made after the grouping, etc.
Following the example, in the enrichment step we can filter based on the lookup result. For example, we want to filter and get only the domains that are in the first one hundred positions in Umbrella Top 1M.
| Code Block |
|---|
where enrichStream_entity_destinationHostname_positionInUmbrellaTop1M < 100 |
Location
SecOps performs an entity and location mapping process based on the lookup information. All you need is get that info from SecOpsLocation lookup.
Following the lookup operation standards, we get all the fields from SecOpsLocation lookups and create new five columns that contain location info from the asset (the source IP in the example).
| Code Block |
|---|
select `lu/SecOpsLocation/country` (str(entity_sourceIP)) as enrichStream_entity_sourceIP_locationCountry select `lu/SecOpsLocation/city` (str(entity_sourceIP) as enrichStream_entity_sourceIP_locationCitylocationCity` select `lu/SecOpsLocation/state` (str(entity_sourceIP)) as enrichStream_entity_sourceIP_locationState select `lu/SecOpsLocation/lat` (str(entity_sourceIP)) as enrichStream_ entity_sourceIP_locationLat select `lu/SecOpsLocation/lon` (str(entity_sourceIP)) as enrichStream_entity_sourceIP_locationLon |
Categorization
The query to use must have the following fields to define the type of alert, the priority of the alert, MITRE Tactics, and MITRE Techniques.
| Code Block |
|---|
select `lu/SecOpsAlertDescription/alertType`("SecOpsDenialOfService") as alertType
select `lu/SecOpsAlertDescription/alertMitreTactics`("SecOpsDenialOfService") as alertMitreTactics
select `lu/SecOpsAlertDescription/alertMitreTechniques`("SecOpsDenialOfService") as alertMitreTechniques
select `lu/SecOpsAlertDescription/alertPriority`("SecOpsDenialOfService") as alertPriority |
...
Summary: Could include column values using $ + column name.
Description: Could include column values using $ + column name.
Subcategory: Have to be SecOps
Alert name: Have to start with “SecOps” prefix and be Upper Camel Case
...
The end query will look like this:
| Code Block |
|---|
from web.all.access
where ispublic(srcIP)
where isnotnull(srcIP)
group every 30m by srcIP
every 1h select count() as count
where count > 5000
select str(srcIP) as entity_sourceIP
select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole
select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity
select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon
select `lu/SecOpsAlertDescription/alertType`("SecOpsDenialOfService") as alertType select `lu/SecOpsAlertDescription/alertMitreTactics`("SecOpsDenialOfService") as alertMitreTactics
select `lu/SecOpsAlertDescription/alertMitreTechniques`("SecOpsDenialOfService") as alertMitreTechniques
select `lu/SecOpsAlertDescription/alertPriority`("SecOpsDenialOfService") as alertPriority |