Logovideo to article
00:00 - 00:07

hello ladies and gentlemen and Welcome

00:03 - 00:09

to our ninth entry into the series on

00:07 - 00:10

kasperski unified monitoring and

00:09 - 00:13

Analysis

00:10 - 00:16

platform in this particular entry we are

00:13 - 00:19

going to talk to you about how to create

00:16 - 00:23

new correlation rules and we will use a

00:19 - 00:26

scenario of creating rules for brute

00:23 - 00:28

forcing so the first thing is to make a

00:26 - 00:30

correlation rule is we need to go to

00:28 - 00:32

resources and then Cor relation rules

00:30 - 00:35

and we're going to click on the add

00:32 - 00:37

button to open the window where we can

00:35 - 00:42

create a new correlation

00:37 - 00:43

rule in this window we'll enter the name

00:42 - 00:46

of the rule for

00:43 - 00:50

example and we'll select its particular

00:46 - 00:53

type um so here you can see standard

00:50 - 00:54

simple operational Etc so just to give

00:53 - 00:57

you a brief

00:54 - 01:00

explanation um operational is going to

00:57 - 01:02

be the need to full active sheets and

01:00 - 01:06

have one

01:02 - 01:08

selector um simple is going to be rules

01:06 - 01:11

that are based and triggered every time

01:08 - 01:15

a new event is discovered that satisfies

01:11 - 01:17

the conditions of a selector so please

01:15 - 01:20

just remember that it has inherited

01:17 - 01:23

fields that have events that

01:20 - 01:26

transfer um from the source to to the

01:23 - 01:28

actual correlation and the trigger

01:26 - 01:32

frequency limits the number of times a

01:28 - 01:35

rule is triggered per second all

01:32 - 01:38

right uh so then we also have the

01:35 - 01:41

standard option this type of rule is

01:38 - 01:43

triggered when the threshold value is

01:41 - 01:46

reached for a group of events that

01:43 - 01:49

satisfies the conditions of the selector

01:46 - 01:53

the event grouping fields and container

01:49 - 01:56

lifetime for the actual

01:53 - 01:59

group so as you can see you know based

01:56 - 02:02

off of all of the different kinds of

01:59 - 02:04

options operational simple and standard

02:02 - 02:06

we have quite a wide array of different

02:04 - 02:08

options that's available we can perform

02:06 - 02:10

different actions using different

02:08 - 02:14

selectors we can enrich we can

02:10 - 02:16

categorize and so on and so forth but if

02:14 - 02:19

we can quickly zoom in a little bit more

02:16 - 02:21

on the standard rule the standard rule

02:19 - 02:25

gives us grouping Fields unique Fields

02:21 - 02:27

trigger frequency container life spans

02:25 - 02:32

uh basic events storage policies you

02:27 - 02:33

know for example first last and all um

02:32 - 02:36

now for each and every one of these you

02:33 - 02:38

know first is focusing on the first

02:36 - 02:41

basic events last focusing on the last

02:38 - 02:43

basic event and all that saves all basic

02:41 - 02:46

events in the correlation event then you

02:43 - 02:49

have importance level and

02:46 - 02:52

sorting now when we um then have a look

02:49 - 02:54

at the selectors tab we can create a

02:52 - 02:57

selector by specifying a name we select

02:54 - 02:59

the trigger threshold meaning the number

02:57 - 03:02

of events that need to be received to

02:59 - 03:05

trigger this particular selector Now we

03:02 - 03:09

move on to the writing of the actual

03:05 - 03:11

selectors so by clicking add condition

03:09 - 03:15

an empty condition will be added you can

03:11 - 03:18

cut it down to if or if not uh or in the

03:15 - 03:22

process of writing rules you can use

03:18 - 03:25

event field or active sheets or

03:22 - 03:28

contextual charts or dictionaries or

03:25 - 03:30

charts or filters and even threat

03:28 - 03:33

intelligence

03:30 - 03:35

streams you can also use different

03:33 - 03:37

operators and there's quite a few

03:35 - 03:40

different ones that's available and if

03:37 - 03:43

needed ignor the register and check the

03:40 - 03:46

type so you can just basically select

03:43 - 03:48

the check marks right you can also go

03:46 - 03:52

ahead and you can add groups of events

03:48 - 03:54

and move conditions around as needed um

03:52 - 03:58

you can even make a small structure if

03:54 - 04:03

you wanted to so don't forget that you

03:58 - 04:07

can write rules as code your full own

04:03 - 04:09

code now in the actions tab as part of

04:07 - 04:12

the standard correlation rule you can

04:09 - 04:14

perform any actions on the first trigger

04:12 - 04:16

the subsequent trigger each trigger and

04:14 - 04:17

after the container's Lifest lifespan

04:16 - 04:20

has

04:17 - 04:23

expired this the following actions are

04:20 - 04:26

available send for further processing

04:23 - 04:30

send to the correlator option to not

04:26 - 04:32

create an alert add different enrichment

04:30 - 04:36

change the asset category and also

04:32 - 04:39

update active sheets or context

04:36 - 04:42

tables now let's look at writing

04:39 - 04:46

correlation rules um for example let's

04:42 - 04:49

write them to detect brute force on the

04:46 - 04:51

SSH service we'll consider the Brute

04:49 - 04:54

Force successful if after 20

04:51 - 04:58

unsuccessful login attempts there is in

04:54 - 05:00

fact a successful login attempt first

04:58 - 05:04

we'll specify the name name so in this

05:00 - 05:06

case successful Brute Force as the name

05:04 - 05:10

um we specify the tenant we select the

05:06 - 05:11

type as standard then we're going to go

05:10 - 05:14

ahead and we're going to send

05:11 - 05:16

destination host name and destination

05:14 - 05:20

address to the grouping

05:16 - 05:22

Fields all right now uh additionally we

05:20 - 05:24

want this contained lifespan time to be

05:22 - 05:28

60 seconds and we're going to have a

05:24 - 05:30

critical level of importance we're going

05:28 - 05:34

to sort this based on the

05:30 - 05:38

timestamp now we are going to need to

05:34 - 05:41

add some selectors to this as well so as

05:38 - 05:43

you can see we are adding our identical

05:41 - 05:47

fields and these kinds of um pre-

05:43 - 05:49

selectors if you will so after we have

05:47 - 05:51

completed this we've specified our

05:49 - 05:54

severity level and all other details

05:51 - 05:57

that I just mentioned we are going to

05:54 - 06:00

add two more selectors all right now

05:57 - 06:03

these selectors the first one is for

06:00 - 06:06

failed password so this is an

06:03 - 06:08

unsuccessful login attempt basically and

06:06 - 06:13

in this instance when we create this

06:08 - 06:15

selector we're going to specify it as 20

06:13 - 06:18

and then we're going to add the

06:15 - 06:21

conditions so once we've specified our

06:18 - 06:24

uh threshold we've added our Alias or

06:21 - 06:27

name we're going to add these conditions

06:24 - 06:29

and what we're going to do with that is

06:27 - 06:31

um failed password which is one of the

06:29 - 06:33

prese selectors that we can select and

06:31 - 06:35

then the second one is device process

06:33 - 06:39

name for

06:35 - 06:41

sshd right now sshd is going to

06:39 - 06:45

basically specify to

06:41 - 06:46

SSH then we're going to add for except

06:45 - 06:49

password and the number of triggers is

06:46 - 06:54

going to be equal to one so the message

06:49 - 06:58

will now be uh basically accept password

06:54 - 07:00

equals um so once we have this details

06:58 - 07:03

then we can go over to the action stage

07:00 - 07:06

what do we want to do um after something

07:03 - 07:09

like this has taken place and and once

07:06 - 07:12

we have seen this um as part of our

07:09 - 07:15

alerts or events or whatever the case is

07:12 - 07:18

all right now um once we have finished

07:15 - 07:21

with creating the final part of our

07:18 - 07:25

selectors we will just go ahead and go

07:21 - 07:28

to the action stage and on the action

07:25 - 07:30

stage we are going to then fill in the

07:28 - 07:32

compromise

07:30 - 07:35

hosts active

07:32 - 07:39

sheet um that we are using for

07:35 - 07:42

comparison basically right so um IP and

07:39 - 07:44

destination address host name and

07:42 - 07:47

destination host name user and

07:44 - 07:52

destination username and reason we will

07:47 - 07:52

say brute forced

07:55 - 08:00

okay so that ladies and gentlemen is

07:58 - 08:02

basically how you can go ahead and

08:00 - 08:05

create uh a few different correlation

08:02 - 08:08

rules create your own rules um such as

08:05 - 08:11

this scenario such as this example and

08:08 - 08:14

as always we are now at the conclusion

08:11 - 08:17

of the ninth entry into our series on

08:14 - 08:19

Kuma hopefully this session has been

08:17 - 08:22

enlightening and uh you learned a thing

08:19 - 08:24

or two from us today we hope to see you

08:22 - 08:29

in the next video as well and as always

08:24 - 08:29

thank you so much and goodbye

Creating New Correlation Rules in Kaspersky Unified Monitoring Platform

In this article, we delve into the process of creating new correlation rules in the Kaspersky Unified Monitoring and Analysis platform. By focusing on the scenario of brute forcing, we explore the steps involved in setting up rules to detect such activities and take appropriate actions to mitigate risks.

Understanding Correlation Rules

  1. Types of Rules:

    • Operational: Full active sheets with one selector.
    • Simple: Triggered when a new event satisfies conditions.
    • Standard: Triggered when a threshold value is reached for a group of events.

  2. Components of Standard Rule:

    • Grouping Fields
    • Unique Fields
    • Trigger Frequency
    • Container Lifespan
    • Basic Events Storage Policies

Writing Correlation Rules

  1. Selectors Creation:

    • Specify a name and trigger threshold.
    • Utilize various fields, charts, filters, and operators.
    • Customize conditions and group events as needed.

  2. Actions Tab:

    • Perform actions on first trigger, subsequent triggers, and after container lifespan expiration.
    • Available actions include sending for further processing, updating active sheets, and changing asset categories.

Example: Brute Force Detection on SSH Service

  1. Rule Setup:

    • Name: Successful Brute Force
    • Type: Standard
    • Grouping Fields: Destination host name and address
    • Lifespan: 60 seconds
    • Importance: Critical
    • Sort by: Timestamp

  2. Selectors:

    • Failed Password Selector: Threshold of 20 unsuccessful attempts.
    • Device Process Name for sshd: Specify successful login attempt.
    • Conditions: Define specific conditions for each selector.

  3. Action Stage:

    • Add compromised hosts to active sheet for comparison.
    • Include details like IP, host name, username, and reason (e.g., brute forced).

By following these steps, you can effectively create correlation rules to detect and respond to security incidents like brute forcing. As you customize rules based on unique scenarios, you enhance the monitoring capabilities of your system and strengthen your overall cybersecurity posture.

In conclusion, mastering the art of creating correlation rules empowers you to proactively identify and address potential threats within your network. Stay vigilant, stay informed, and stay ahead of cyber adversaries. Best of luck in your journey towards fortified cybersecurity defenses!