How to create correlation rule for threat detection in RuSIEM
HOW TO CREATE
CORRELATION RULE FOR
In case - detection ransomware
• Consider as an example a real threat:
• You can not rely on patches that cover a vulnerability when
creating a correlation rule.
• At any time, a host may appear on which the patch is not
installed. And you will not know about it at the most
WHAT ARE YOU NEED?
• Discover. Even if at the moment you do not have a threat.
• Automatic detection
• Real time detection
• Notifications (email/incident in workflow)
WHAT YOU NEED TO UNDERSTAND FIRST
• Attack vectors (vulnerability, local/network, exploited software
• Distribution method (email/attachments/network/banners/sites)
• Explore news for threat definition/signature
How to detect:
• Event logs/Cyber security systems (IDS/DPI/Network
1. You have an information security tool that detects a threat
2. SIEM receives a ready-made threat decision event
3. SIEM prioritizes the threat by the rule of correlation, reduce
the number of false positives and records the fact of the
incident. Notifies send to you (or remediation group) by mail.
1. You have a number of different software or hardware tools that
provide information about processes, email, network connections,
2. It can be: windows event logs, firewalls, syslog, IDS, flow, network
analyzers and other.
3. SIEM will receive simple events from these sources, check for
correlations and detect incidents.
4. SIEM prioritizes the threat by the rule of correlation, reduce the
number of false positives and records the fact of the incident.
Notifies send to you (or remediation group) by mail.
DIFFERENCE BETWEEN SCENARIO
1. In fact: you are faster than IDS / AV vendors can create a signature
2. The difference between the #1 and #2 scenarios is that in the case
of correlation rules in SIEM, you get a more manageable centralized
3. There is no need to write rules for many different systems and
monitor their deploy.
4. In practice, SIEM receives much more information for guaranteed
5. In SIEM correlation rules it is possible to reduce the number of false
6. In any case, processes of incident management and real-time
response are needed. This does not have a classic protection
LOOK GOOGLE FOR THREAT
Remote WMI, “process call create
• We will detect Win32/Diskcoder.Petya in this case by dst.ip
(C&C) and sha1/sha256 hashes
• Arrays of values put in the lists to be able to quickly change
and add new values
• When IDSs are updated - we will record incidents and by their
• If you have enabled audit on file servers – we also may create
common rule. Example, “changes 100 or more files in 60
• Be sure to test the created rule in a real infrastructure !
• You can always create or emulate the connection, the test
process, the other symptom of the threat for verification
• If an incident happens - it will be too late.