Notes

User Authentication Samples
1. Repeat Attack-Login Source
• Goal: Early warning for brute force attacks, password guessing, and misconfigured applications.
• Trigger: Alert on 3 or more failed logins in 1 minute from a single host.
• Event Sources: Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications

2. Repeat Attack-Login Target
• Goal: Early warning for brute force attacks, password guessing, and misconfigured applications.
• Trigger: Alert on 3 or more failed logins in 1 minute on a single user ID
• Event Sources: Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS,
• TACACS, Monitored Applications
o Note: The actual number of events required to trigger a correlation should be easily tunable.

Attacks Detected on the Network
3. Repeat Attack-FW
• Goal: Early warning for scans, worm propagation, etc…
• Trigger: Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one
• minute.
• Event Sources: Firewalls, Routers and Switches

4. Repeat Attack-NIPS
• Goal: Early warning for scans, worm propagation, etc…
• Trigger: Alert on 7 or more IDS Alerts from a single IP Address in one minute.
• Event Sources: Network Intrusion Detection and Prevention Devices
• Attacks and Infections Detected at the Host Level

5. Virus or Spyware Detected / Virus or Spyware Removed
• Goal: Find viruses the client Anti-Virus could detect, but not clean.
• Trigger: Alert on any event from a single IP Address where the anti-virus failed to clean or quarantine the malware. If a “clean/quarantine” event is later seen remove the host from the watch/infected list.
• Event Sources: Anti-Virus

6. Repeat Attack-HIPS
• Goal: Find hosts that may be infected or compromised (exhibiting infection behaviors).
• Trigger: Alert on 3 or more events from a single IP Address.
• Event Sources: Host Intrusion Prevention System Alerts
• Attacks from Unknown/Untrusted Sources

7. Repeat Attack-Foreign
• Goal: Identify remote attackers before they make it into the network. Identify “back scatter” pointing to attacks that may have not been detected by other sources.
• Secondary Goal: This rule also identifies new networks with active hosts that have been added to the internal network, but not reported or configured within security tools.
• Trigger: Alert on 10 or more failed events from a single IP Address that is not part of the known internal network.
• Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

8. Known Attacker Allowed in Network
• Goal: Identify allowed traffic from known “black listed” sources. If the source is known to be a source of malware or an attack, identify and alert if that source is every allowed into the network, while conversely filtering out/ignoring “drop/reject/deny” events from these sources when our defenses properly block the traffic.
• Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), events from an IP Address that is not part of the known network and is known to have/use malware.
• Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

9. Traffic Allowed to Known Attacker
• Goal: Identify allowed traffic to known “black listed” destinations. If the destination is known to be a source of malware or an attack, identify and alert if traffic is ever allowed to that destination.
• This may indicate an infected host trying to call home.
• Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), events to an IP Address that is not part of the known network and is known to have/use malware.
• Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

High Risk Threats
10. High Threat Targeting Vulnerable Asset
• Goal: Identify threats in real time that are likely to compromise a host. Vulnerability data has shown the host to be vulnerable to the inbound attack being detected by NIPS.
• Trigger: Any event from a single IP Address targeting a host known to be vulnerable to the attack that’s inbound.
• Event Sources: NIPS events, Vulnerability Assessment data

11. Repeat Attack-Multiple Detection Sources
• Goal: Find hosts that may be infected or compromised detected by multiple sources (high probability of true threat).
• Trigger: Alert on ANY second threat detected from a single IP Address by a second source after seeing a repeat attack.
• Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

12. Possible Outbreak – Excessive Connections
• Goal: Find hosts that may be infected or compromised by watching for a host to connect to a large number of destinations.
• Trigger: Alert when a single host connects to 25 or more unique targets on the same port in 1 minute (must apply white lists to servers to avoid false positives).
• Event Sources: Firewall, NIPS, Flow Data, and Web Content Filters

Virus Detection/Removal
13. Virus or Spyware Detected
Goal: Alert when a virus, spyware or other malware is detected on a host.
Trigger: Alert when a single host sees an identifiable piece of malware
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

14. Virus or Spyware Removed
• Goal: Reduce alerts and warnings, if after detection, anti-virus tools are able to remove a known piece of malware.
• Trigger: Alert when a single host successfully removes a piece of malware
• Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

15. Possible Outbreak – Multiple Infected Hosts Detected on the Same Subnet
• Goal: Alert on the detection of malware before it spreads beyond a limited number of hosts.
• Trigger: Alert when 5 or more hosts on the same subnet trigger the same Malware Signature (AV or IDS) within a 1 hour interval.
• Event Sources: Anti-Virus, HIPS, NIPS
• Web Servers (IIS, Apache)

16. Suspicious Post from Untrusted Source
• Goal: Alert when dangerous content (executable code) is posted to a web server.
• Trigger: Files with executable extensions (cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat), are posted to a web server (internal/dmz address), from an external source
• Event Sources: Internet Information Server and Apache Logs
• Monitored Log Sources

17. Monitored Log Source Stopped Sending Events
• Goal: Alert when a monitored log source has not sent an event in 1 Hour (variable time based on the device)
• Trigger: Log collection device must create an event if a log source stops sending logs for some period of time
• Event Sources: Any log source and log collection device

API / Advanced Search
18. Upload Excel spreadsheet containing “Whitelist” of accounts or IP Addresses
• Goal: Demonstrate the ability to easily post reference data to the SIEM solution
• Trigger: Import data from reference form on-demand
• Event Sources: Spreadsheet containing some reference data

14. Create report to showing usernames associated with IP addresses
• Goal: Reduce the time necessary to understand what users are associated with IP addresses in the environment
• Trigger: Run search/report on-demand
• Event Sources: Authentication records (i.e. VPN, AD, etc.)