Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Current »

Overview

We will explain in the following sections how new alerts can be added aside from existing standard Security Operations alerts.

The first thing to do is to apply all the filtering you can before you start to define your logic. We’re looking to reduce the amount of data to process.

Filter as soon as you can and every time you are able. Just try to avoid “null” data and remove all “noisy” data during the query creation. That makes your query more efficient and decreases false positives. 

Query creation

Each alert is based on a query that is run continuously over the data stream. When an alert is triggered, it generates a record in the Devo table.

This table is a read-only table. Devo SecOps then enriches the alerts, adding information based on the ‘ExtraData’ field at the end of the alert record.

There are some requirements that we have to follow to create compatible alerts. There are two types of requirements: Mandatory and optional.

Mandatory

Optional

SecOps Prefix

SecOps Subcategory

alertPriority

alertMitreTechniques

alertType

alertMitreTactics

Entities (at least one)

Enrichments

For more information on each field per specific lookup, see here.

SecOps will parse this data, based on the kinds of information values SecOps expects, and create all the new data which makes up the application.

Let's walk through the steps we must take to start creating alerts. An alert is just a query active forever, so we have to compound the query that fits with our search needs and put it to work.

The following picture shows the overall SecOps alert creation process. 

Alert creation

Let's say we want to analyze the requests made to our web server.

Pre-filter

Firstly, we apply filters to obtain the requests where the source IP is not a null value and also that the IP belongs to a public range.

from web.all.access 
where ispublic(srcIp) 
where isnotnull(srcIp)

Aggregation

Then, we want to group by srcIp with one hour as the grouping period. In this case, we're adding a count operation that we use to filter based on the amount of data grouped. 

group every 30m by srcIp 
every 1h 
select count() as count 
where count > 5000

Entity creation

In this step, we will start to deal with SecOps requirements. SecOps needs to fit with a pre-defined nomenclature to detect and process the entities. Here we create the entities and optionally we can apply the whitelisting procedure. Click here to learn more about entities.

In our example, we’re using just one entity, srcIp., so we create a new field following the nomenclature. 

select str(srcIp) as entity_sourceIP

SecOps uses a Common Information Model for entity naming. It’s needed to track entities over the SecOps app. If you want to include more entities please contact Devo Support.

Entity

SecOps Entity

Hostname

entity_sourceHostname

entity_destinationHostname

Url

entity_sourceUrl

entity_destinationUrl

IP

entity_sourceIP

entity_destinationIP

MAC

entity_sourceMAC

entity_destinationMAC

Name

entity_sourceName

entity_destinationName

Location

entity_sourceLocation

entity_destinationLocation

Domain

entity_sourceDomain

entity_destinationDomain

Email

entity_sourceEmail

entity_destinationEmail

Account

entity_sourceAccount

entity_destinationAccount

Assign a role to the entity

Next, we need to add following detections using lookups:

To learn more about lookups, go to SecOps Lookups.

Using Lookups after aggregation ensures that the new fields created are available in SecOps. 

It is necessary to activate the server mode in the Data Search area to be able to use Lookups after grouping.

The following example shows how to add to an IP a DNS role with a category server and type system:

asset,class,category,type
8.8.8.8,DNS,server,system

SecOpsAssetRole follows the terminology used by the SecOps app to populate the Entity Graph with known definitions of class (role) and category (entity type).

In our example, we are using just one entity, srcIp, so we create a new field with the entity

select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole

Whitelisting

In order to avoid some events from some assets, customers can add whitelisting checks on alerts just adding an extra check based on data from a Lookup.

Here we will use the global whitelist lookup SecOpsGWL.

Example:

AssetHyphenRole,reason,description
8.8.8.8-GoogleDNS,Mainstream DNS, Avoid alerts from public services
9.9.9.9,Company DNS,Avoid

The way we can use these two lookups is just getting the role from an asset and then compounding a string to know if the asset + role is the GWL lookup.

Here is an example query that contains three cases. 

  • First, we have an IP that it’s on SecOpsGWL lookup and has a role associated with SecOpsAssetRole.

from web.all.access
where requestLength = 1200
select "8.8.8.8" as testIP // create a fake asset
select `lu/SecOpsRole/role`(testIP) as AssetRole // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRole),testIP,testIP+"-"+AssetRole) as AssetToCheck
select `lu/SecOpsGWL`(AssetToCheck) as GWL // Check Asset+Role in SecOpsGWL Lookup
  • Second, we have an IP that it’s on SecOpsGWL lookup, but has not a role associated with SecOpsAssetRole.

select "9.9.9.9" as testIPAnother // create another fake asset
select `lu/SecOpsRole/role`(testIPAnother) as AssetRoleAnother // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRoleAnother),testIPAnother,testIPAnother+"-"+AssetRoleAnother) as AssetToCheckAnother
select `lu/SecOpsGWL`(AssetToCheckAnother) as GWLAnother // Check Asset+Role in SecOpsGWL Lookup
  • Third and last, we have an IP that is not on SecOpsGWL and has not a role associated with SecOpsAssetRole.

select "4.4.4.4" as testIPNone // create another fake asset
select `lu/SecOpsRole/role`(testIPNone) as AssetRoleNone // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRoleNone),testIPNone,testIPNone+"-"+AssetRoleNone) as AssetToCheckNone
select `lu/SecOpsGWL`(AssetToCheckNone) as GWLNone // Check Asset+Role in SecOpsGWL Lookup
group every 1h by GWLNone, GWL, GWLAnother
every 1h

Using these two lookups allows customers to associate a role or not to an asset.  They can use SecOpsGWL as a simple whitelist or combine it with SecOpsAssetRole to give more context.

Enrichment using lookups

Using Lookups after aggregation ensures that the new columns created are available in SecOps. 

It is necessary to activate server mode in the data search window to be able to use Lookups after grouping.

For the full list of lookups for enrichment, see the article on Security Operations lookups.

In this example, we will use a lookup to get the position from Umbrella Top 1M domains:

select `lu/UmbrellaTop1M/position`(fqdn) as enrichStream_entity_destinationHostname_positionInUmbrellaTop1M

Filter

At this point, you can add all the logic you want to implement. You can filter by the new field creating from the enrichment part, filter by statistical operations you made after the grouping, etc.

Following the example, in the enrichment step we can filter based on the lookup result. For example, we want to filter and get only the domains that are in the first one hundred positions in Umbrella Top 1M.

where enrichStream_entity_destinationHostname_positionInUmbrellaTop1M < 100

Location

SecOps performs an entity and location mapping process based on the lookup information. All you need is get that info from SecOpsLocation lookup.

Following the lookup operation standards, we get all the fields from SecOpsLocation lookups and create new five columns that contain location info from the asset (the source IP in the example).

select `lu/SecOpsLocation/country` (str(entity_sourceIP)) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city` (str(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity`
select `lu/SecOpsLocation/state` (str(entity_sourceIP)) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat` (str(entity_sourceIP)) as enrichStream_ entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon` (str(entity_sourceIP)) as enrichStream_entity_sourceIP_locationLon

Categorization

The query to use must have the following fields to define the type of alert, the priority of the alert, MITRE Tactics, and MITRE Techniques.

select `lu/SecOpsAlertDescription/alertType`("SecOpsDenialOfService") as alertType  
select `lu/SecOpsAlertDescription/alertMitreTactics`("SecOpsDenialOfService") as alertMitreTactics  
select `lu/SecOpsAlertDescription/alertMitreTechniques`("SecOpsDenialOfService") as alertMitreTechniques  
select `lu/SecOpsAlertDescription/alertPriority`("SecOpsDenialOfService") as alertPriority

Naming

Finally, as an alert creator, have to fill the last four fields answering the who, the what, the when, the where, and how much. Be as descriptive in the description and message as possible to provide the analyst with the most information in SecOps alert data.

  • Summary: Could include column values using $ + column name.

  • Description: Could include column values using $ + column name.

  • Subcategory: Have to be SecOps

  • Alert name: Have to start with “SecOps” prefix and be Upper Camel Case

The end query will look like this:

from web.all.access 
where ispublic(srcIP) 
where isnotnull(srcIP) 
group every 30m by srcIP 
every 1h select count() as count 
where count > 5000 
select str(srcIP) as entity_sourceIP 
select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole
select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry 
select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity 
select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState 
select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat 
select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon 
select `lu/SecOpsAlertDescription/alertType`("SecOpsDenialOfService") as alertType   select `lu/SecOpsAlertDescription/alertMitreTactics`("SecOpsDenialOfService") as alertMitreTactics   
select `lu/SecOpsAlertDescription/alertMitreTechniques`("SecOpsDenialOfService") as alertMitreTechniques   
select `lu/SecOpsAlertDescription/alertPriority`("SecOpsDenialOfService") as alertPriority
  • No labels