SlideShare a Scribd company logo

Improve Security Visibility with AlienVault USM Correlation Directives

Download as PPTX, PDF
AlienVault
AlienVault

At the heart of SIEM is ability to correlate events from one or many sources into actionable alarms based on your security policies. AlienVault USM provides over 2100 correlation directives developed by the AlienVault Labs team, plus the ability to create your own custom rules. Join us for this customer training session covering how to: Ensure you are using the latest and greatest built-in correlation directives from AlienVault Labs Write your own correlation directives based on events from one or more sources Turn correlation information into actionable alarms Use correlations to enforce your security policies

1 of 31
Agenda A review of the built-in Correlation Directives from AlienVault Labs How to write your own correlation directives based on events from one or more sources How to turn correlation information into actionable alarms How to use correlations to enforce your security policies
Logical Correlation New events are generated using the information provided by detectors and monitors. Is configured using correlation directives. New events will have new priority and reliability values. Directives are defined through logical trees, in which the horizontal axis defines an OR operation and the vertical one defines an AND operation. Correlation level 1 Correlation level 3 1 2a 2b 3b3a 3c 3d Correlation level 2
Logical Correlation
Directives Examples Configuration > Threat Intelligence > Directives
Alarms Alarms are special events that may depend on other events. Alarms require investigation and remediation. Analysis> Alarms An overview of alarms per type, frequency, and time. A list of alarms.
Toggle search. Specify search filter. Alarm intent. Time window. Select time window and intent. Search and Filter Utilize search if interested in specific alarms. Alternatively, click a blue circle to see alarms with a specific intent and within a specific time window.
Sort alarms. Alarm with OTX feed. Click alarm to see more information. Alarm is still being correlated. Close or delete alarm if false positive. Alarms List Pay attention to alarms with OTX data. Sort alarms by risk and examine the high risk alarms first. Alarms that are still being correlated cannot be edited.
Examine source(s) and destination(s). Directive event. Individual event that triggered directive event. Click an event to see details. Read the knowledge base. Correlation level. Examine Alarm Details Examine details about the alarm.
Normalized event information. SIEM information. Read the knowledge base. Examine the offending packet. Examine Event Details
Customizing correlation directives
Clone directive. Delete directive. Edit directive. Disable directive. Logical Correlation Logical correlation uses correlation directives to detect attacks. By default, AlienVault USM includes more than 2,100 built-in directives. Users can customize existing directives or create custom ones. Directives can be edited or created in the graphical editor or by editing XML files.
Global Properties Correlation Directives <directive id="28012" name="AV Network attack, too many dropped inbound packets from DST_IP" priority="2"> Name of the directive, which becomes the name of the generated event/alert ID of the directive: • All correlation events have 1505 as plugin ID • Event type ID is the ID of the directive • Reserved range for user-defined directives (500,000-1,000,000) Priority of the directive (impact of this attack in your network): • All events generated within this directive will have priority set to the global priority value of the correlation directive
Correlation Rules Correlation Directives (Cont.) Correlation directives are composed of multiple rules. Rules define conditions to match incoming events. When a condition is met: • If this is the last level of the directive, then create a new event. If there are further levels: • Wait for more incoming events. Add rule. Clone rule. Delete rule. Change level of a rule.
Correlation Process Incoming events are matched by started directives first. If the events do not match started directives, they will be matched against all other directives. Events can be correlated by several directives. Attributes in a rule can be sticky or sticky different. ServerServers DST_ PORT STICKY 80 80 80 80 80 80 ServerServers DST_ PORT STICKY DIFFERENT 22 23 25 53 80 443 Single directive event. Single directive event.
Example: Denial of Service Attack Create Custom Correlation Directive Many connections from a single host (with a bad reputation) may indicate DoS attack attempt. Firewall events (detector data source) can be checked for connections. Monitor data source can be used to verify if the service is still up after a suspected attack. Correlation level 1 Correlation level 2 Correlation level 3 Correlation level 4 1 ACCEPT event from the firewall Port 139 Source: A 100 ACCEPT events from the firewall Port 139 Source: A 1000 ACCEPT events from the firewall Port 139 Source: A Is the service still up?
Configuration Tasks Create Custom Correlation Directive (Cont.) 1. Create a new directive. 2. Create a correlation level 1 rule. 3. Create a subsequent correlation rule. 4. Repeat Task 3 until you configured all correlation rules. 5. Restart the server.
Specify directive properties. Create new Directive. Task 1: Create New Directive Create Custom Correlation Directive (Cont.) Configuration > Threat Intelligence > Directives
Task 2: Create Correlation Level 1 Rule Create Custom Correlation Directive (Cont.) Specify rule name and data source plugin and event type ID(s). Only detector data sources can be used in the first correlation level.
Task 2: Create Correlation Level 1 Rule (Cont.) Create Custom Correlation Directive (Cont.) Specify source and destination IP address(es). Specify source and destination ports. Optionally include OTX data. Select rule reliability.
Set reliability as absolute or relative value. Inherit settings from parent rule. Add child rule. Task 3: Create Correlation Level 2 Rule Create Custom Correlation Directive (Cont.) Process of adding second rule is similar to adding the first one. Option to inherit source and destination IP addresses and ports from a parent rule.
Task 3: Create Correlation Level 2 Rule (Cont.) Create Custom Correlation Directive (Cont.) Timeout and occurrence values have to be edited after adding the rule. Click the value to edit it.
Task 4: Crate Correlation Level 3 Rule Create Custom Correlation Directive (Cont.) The process of adding level 3 rule is the same as when adding level 2 rule. Increase reliability of an event when more occurrences are detected.
Task 5: Create Correlation Level 4 Rule Create Custom Correlation Directive (Cont.) Add monitor data source plugin to verify if the service is still up. Other steps are the same as in the previous tasks. Add child rule. Inherit settings from parent rule.
Task 5: Create Correlation Level 4 Rule (Cont.) Create Custom Correlation Directive (Cont.) Timeout and occurrence values have different meanings in monitor rules. Click the value to edit it.
Task 6: Restart Server Create Custom Correlation Directive (Cont.) Changes are applied by restarting the server. Restarting the server stops the correlation process. Restart server.
Resulting XML File Create Custom Correlation Directive (Cont.) <directive id="500003" name="DoS attack to NetBIOS" priority="2"> <rule type="detector" name="Established connections" from="ANY" to=„10.177.76.249" port_from="ANY" port_to="139" from_rep="true" from_rep_min_pri="3" from_rep_min_rel="3" reliability="0" occurrence="1" plugin_id="1636" plugin_sid="106102"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="100" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="1000" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="monitor" name="Service up" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+6" occurrence="1" time_out="1" plugin_id="2008" plugin_sid="2"/> </rules> </rule> </rules> </rule> </rules> </rule> </directive>
Best Practices Create Custom Correlation Directive (Cont.) Directives should not always generate alarms • Use reasonable priority and reliability values to ease incident management Use the existing directives to: • Learn how directives are configured • Adopt them to your environment and needs Look for multiple types of events: • Bad authentication types • Discarded packets due to different violations
USM Sizing Examples Multiple locations with less than 2500 EPS Enterprise deployment • Many locations Logger Single location with less than 1000 EPS
Customer Sizing Examples Single location with less than 1000 EPS Multiple locations with less than 2500 EPS Enterprise deployment • Many locations Logger
888.613.6023 ALIENVAULT.COM CONTACT US HELLO@ALIENVAULT.COM Weekly Threat Intelligence update summaries are posted in the AlienVault forum here Hands-on 5-day training classes delivered in- person or “live on-line” • Email training@alienvault.com for more info Subscribe to the AlienVault blogs for more info on emerging threats and security best practices

Recommended

Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) AlgorithmsUnderstanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Gautam Anand
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
Welcome Webinar Slides
Welcome Webinar SlidesWelcome Webinar Slides
Welcome Webinar Slides
Sumo Logic
 
Blockchain .pptx
Blockchain .pptxBlockchain .pptx
Blockchain .pptx
ManishKumar7730
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
Priyanka Aash
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEO
Micheal Axelsen
 

Recommended

Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) AlgorithmsUnderstanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Gautam Anand
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
Welcome Webinar Slides
Welcome Webinar SlidesWelcome Webinar Slides
Welcome Webinar Slides
Sumo Logic
 
Blockchain .pptx
Blockchain .pptxBlockchain .pptx
Blockchain .pptx
ManishKumar7730
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
Priyanka Aash
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEO
Micheal Axelsen
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
Deborah Obasogie
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
Manoj kumawat
 
Global Future of Blockchain
Global Future of Blockchain Global Future of Blockchain
Global Future of Blockchain
Melanie Swan
 
Access control
Access controlAccess control
Access control
Mohibullah Saail
 
What makes blockchain secure: Key Characteristics & Security Architecture
What makes blockchain secure: Key Characteristics & Security ArchitectureWhat makes blockchain secure: Key Characteristics & Security Architecture
What makes blockchain secure: Key Characteristics & Security Architecture
EC-Council
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
Splunk
 
An Introduction to Blockchain Technology
An Introduction to Blockchain Technology An Introduction to Blockchain Technology
An Introduction to Blockchain Technology
Niuversity
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
Blockchain technology
Blockchain technologyBlockchain technology
Blockchain technology
AlpnaSingh5
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptographydrewz lin
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity
gppcpa
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
Brian Honan
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680Kabogo
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
AlienVault
 

More Related Content

What's hot

What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
Deborah Obasogie
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
Manoj kumawat
 
Global Future of Blockchain
Global Future of Blockchain Global Future of Blockchain
Global Future of Blockchain
Melanie Swan
 
Access control
Access controlAccess control
Access control
Mohibullah Saail
 
What makes blockchain secure: Key Characteristics & Security Architecture
What makes blockchain secure: Key Characteristics & Security ArchitectureWhat makes blockchain secure: Key Characteristics & Security Architecture
What makes blockchain secure: Key Characteristics & Security Architecture
EC-Council
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
Splunk
 
An Introduction to Blockchain Technology
An Introduction to Blockchain Technology An Introduction to Blockchain Technology
An Introduction to Blockchain Technology
Niuversity
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
Blockchain technology
Blockchain technologyBlockchain technology
Blockchain technology
AlpnaSingh5
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptographydrewz lin
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity
gppcpa
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
Brian Honan
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680Kabogo
 

What's hot (20)

What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
 
Global Future of Blockchain
Global Future of Blockchain Global Future of Blockchain
Global Future of Blockchain
 
Access control
Access controlAccess control
Access control
 
What makes blockchain secure: Key Characteristics & Security Architecture
What makes blockchain secure: Key Characteristics & Security ArchitectureWhat makes blockchain secure: Key Characteristics & Security Architecture
What makes blockchain secure: Key Characteristics & Security Architecture
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
An Introduction to Blockchain Technology
An Introduction to Blockchain Technology An Introduction to Blockchain Technology
An Introduction to Blockchain Technology
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
Blockchain technology
Blockchain technologyBlockchain technology
Blockchain technology
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
 
An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680
 

Viewers also liked

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
Otx introduction sw
Otx introduction swOtx introduction sw
Otx introduction sw
AlienVault
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_gg
AlienVault
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 

Viewers also liked (20)

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Otx introduction sw
Otx introduction swOtx introduction sw
Otx introduction sw
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_gg
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
 

Similar to Improve Security Visibility with AlienVault USM Correlation Directives

Software engg. pressman_ch-8
Software engg. pressman_ch-8Software engg. pressman_ch-8
Software engg. pressman_ch-8Dhairya Joshi
 
Data mining final report
Data mining final reportData mining final report
Data mining final report
Kedar Kumar
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlert
Amazon Web Services
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
frantzyv
 
ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponse
Ertugrul Akbas
 
Slides chapter 8
Slides chapter 8Slides chapter 8
Slides chapter 8
Priyanka Shetty
 
Graph The Planet 2019 - Intrusion Detection with Graphs
Graph The Planet 2019 - Intrusion Detection with GraphsGraph The Planet 2019 - Intrusion Detection with Graphs
Graph The Planet 2019 - Intrusion Detection with Graphs
Matt Swann
 
Netcool Impact docs
Netcool Impact docsNetcool Impact docs
Netcool Impact docs
HIMANSHU GOYAL
 
Stress testing of powered by fiware application: the Digital Enabler
Stress testing of powered by fiware application: the Digital EnablerStress testing of powered by fiware application: the Digital Enabler
Stress testing of powered by fiware application: the Digital Enabler
Antonino Sirchia
 
integrity and cuncurrency in DBMS
integrity and cuncurrency in DBMSintegrity and cuncurrency in DBMS
integrity and cuncurrency in DBMS
Xubair Khanday
 
Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!
Joydeep Banik Roy
 
Logging, tracing and metrics: Instrumentation in .NET 5 and Azure
Logging, tracing and metrics: Instrumentation in .NET 5 and AzureLogging, tracing and metrics: Instrumentation in .NET 5 and Azure
Logging, tracing and metrics: Instrumentation in .NET 5 and Azure
Alex Thissen
 
Puppeting in a Highly Regulated Industry
Puppeting in a Highly Regulated IndustryPuppeting in a Highly Regulated Industry
Puppeting in a Highly Regulated Industry
Puppet
 
Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...
Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...
Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...
Amazon Web Services
 
Droolsand Rule Based Systems 2008 Srping
Droolsand Rule Based Systems 2008 SrpingDroolsand Rule Based Systems 2008 Srping
Droolsand Rule Based Systems 2008 Srping
Srinath Perera
 
Nss labs-breach-detection
Nss labs-breach-detectionNss labs-breach-detection
Nss labs-breach-detection
Michael Kurzidim
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positives
Elasticsearch
 
Apache Cassandra - Drivers deep dive
Apache Cassandra - Drivers deep diveApache Cassandra - Drivers deep dive
Apache Cassandra - Drivers deep dive
Alex Thompson
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & Rules
Muhammad Abdel Aal
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM Profiler
Ertugrul Akbas
 

Similar to Improve Security Visibility with AlienVault USM Correlation Directives (20)

Software engg. pressman_ch-8
Software engg. pressman_ch-8Software engg. pressman_ch-8
Software engg. pressman_ch-8
 
Data mining final report
Data mining final reportData mining final report
Data mining final report
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlert
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponse
 
Slides chapter 8
Slides chapter 8Slides chapter 8
Slides chapter 8
 
Graph The Planet 2019 - Intrusion Detection with Graphs
Graph The Planet 2019 - Intrusion Detection with GraphsGraph The Planet 2019 - Intrusion Detection with Graphs
Graph The Planet 2019 - Intrusion Detection with Graphs
 
Netcool Impact docs
Netcool Impact docsNetcool Impact docs
Netcool Impact docs
 
Stress testing of powered by fiware application: the Digital Enabler
Stress testing of powered by fiware application: the Digital EnablerStress testing of powered by fiware application: the Digital Enabler
Stress testing of powered by fiware application: the Digital Enabler
 
integrity and cuncurrency in DBMS
integrity and cuncurrency in DBMSintegrity and cuncurrency in DBMS
integrity and cuncurrency in DBMS
 
Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!
 
Logging, tracing and metrics: Instrumentation in .NET 5 and Azure
Logging, tracing and metrics: Instrumentation in .NET 5 and AzureLogging, tracing and metrics: Instrumentation in .NET 5 and Azure
Logging, tracing and metrics: Instrumentation in .NET 5 and Azure
 
Puppeting in a Highly Regulated Industry
Puppeting in a Highly Regulated IndustryPuppeting in a Highly Regulated Industry
Puppeting in a Highly Regulated Industry
 
Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...
Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...
Implementare e gestire soluzioni per l'Internet of Things (IoT) in modo rapid...
 
Droolsand Rule Based Systems 2008 Srping
Droolsand Rule Based Systems 2008 SrpingDroolsand Rule Based Systems 2008 Srping
Droolsand Rule Based Systems 2008 Srping
 
Nss labs-breach-detection
Nss labs-breach-detectionNss labs-breach-detection
Nss labs-breach-detection
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Apache Cassandra - Drivers deep dive
Apache Cassandra - Drivers deep diveApache Cassandra - Drivers deep dive
Apache Cassandra - Drivers deep dive
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & Rules
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM Profiler
 

More from AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
AlienVault
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
AlienVault
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue Teams
AlienVault
 
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
AlienVault
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
AlienVault
 
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
Planning your 2015 Threat Detection Strategy with a Broken Crystal BallPlanning your 2015 Threat Detection Strategy with a Broken Crystal Ball
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
AlienVault
 

More from AlienVault (17)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue Teams
 
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
 
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
Planning your 2015 Threat Detection Strategy with a Broken Crystal BallPlanning your 2015 Threat Detection Strategy with a Broken Crystal Ball
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
 

Improve Security Visibility with AlienVault USM Correlation Directives

  • 1.
  • 2. Agenda A review of the built-in Correlation Directives from AlienVault Labs How to write your own correlation directives based on events from one or more sources How to turn correlation information into actionable alarms How to use correlations to enforce your security policies
  • 3. Logical Correlation New events are generated using the information provided by detectors and monitors. Is configured using correlation directives. New events will have new priority and reliability values. Directives are defined through logical trees, in which the horizontal axis defines an OR operation and the vertical one defines an AND operation. Correlation level 1 Correlation level 3 1 2a 2b 3b3a 3c 3d Correlation level 2
  • 5. Directives Examples Configuration > Threat Intelligence > Directives
  • 6. Alarms Alarms are special events that may depend on other events. Alarms require investigation and remediation. Analysis> Alarms An overview of alarms per type, frequency, and time. A list of alarms.
  • 7. Toggle search. Specify search filter. Alarm intent. Time window. Select time window and intent. Search and Filter Utilize search if interested in specific alarms. Alternatively, click a blue circle to see alarms with a specific intent and within a specific time window.
  • 8. Sort alarms. Alarm with OTX feed. Click alarm to see more information. Alarm is still being correlated. Close or delete alarm if false positive. Alarms List Pay attention to alarms with OTX data. Sort alarms by risk and examine the high risk alarms first. Alarms that are still being correlated cannot be edited.
  • 9. Examine source(s) and destination(s). Directive event. Individual event that triggered directive event. Click an event to see details. Read the knowledge base. Correlation level. Examine Alarm Details Examine details about the alarm.
  • 10. Normalized event information. SIEM information. Read the knowledge base. Examine the offending packet. Examine Event Details
  • 12. Clone directive. Delete directive. Edit directive. Disable directive. Logical Correlation Logical correlation uses correlation directives to detect attacks. By default, AlienVault USM includes more than 2,100 built-in directives. Users can customize existing directives or create custom ones. Directives can be edited or created in the graphical editor or by editing XML files.
  • 13. Global Properties Correlation Directives <directive id="28012" name="AV Network attack, too many dropped inbound packets from DST_IP" priority="2"> Name of the directive, which becomes the name of the generated event/alert ID of the directive: • All correlation events have 1505 as plugin ID • Event type ID is the ID of the directive • Reserved range for user-defined directives (500,000-1,000,000) Priority of the directive (impact of this attack in your network): • All events generated within this directive will have priority set to the global priority value of the correlation directive
  • 14. Correlation Rules Correlation Directives (Cont.) Correlation directives are composed of multiple rules. Rules define conditions to match incoming events. When a condition is met: • If this is the last level of the directive, then create a new event. If there are further levels: • Wait for more incoming events. Add rule. Clone rule. Delete rule. Change level of a rule.
  • 15. Correlation Process Incoming events are matched by started directives first. If the events do not match started directives, they will be matched against all other directives. Events can be correlated by several directives. Attributes in a rule can be sticky or sticky different. ServerServers DST_ PORT STICKY 80 80 80 80 80 80 ServerServers DST_ PORT STICKY DIFFERENT 22 23 25 53 80 443 Single directive event. Single directive event.
  • 16. Example: Denial of Service Attack Create Custom Correlation Directive Many connections from a single host (with a bad reputation) may indicate DoS attack attempt. Firewall events (detector data source) can be checked for connections. Monitor data source can be used to verify if the service is still up after a suspected attack. Correlation level 1 Correlation level 2 Correlation level 3 Correlation level 4 1 ACCEPT event from the firewall Port 139 Source: A 100 ACCEPT events from the firewall Port 139 Source: A 1000 ACCEPT events from the firewall Port 139 Source: A Is the service still up?
  • 17. Configuration Tasks Create Custom Correlation Directive (Cont.) 1. Create a new directive. 2. Create a correlation level 1 rule. 3. Create a subsequent correlation rule. 4. Repeat Task 3 until you configured all correlation rules. 5. Restart the server.
  • 18. Specify directive properties. Create new Directive. Task 1: Create New Directive Create Custom Correlation Directive (Cont.) Configuration > Threat Intelligence > Directives
  • 19. Task 2: Create Correlation Level 1 Rule Create Custom Correlation Directive (Cont.) Specify rule name and data source plugin and event type ID(s). Only detector data sources can be used in the first correlation level.
  • 20. Task 2: Create Correlation Level 1 Rule (Cont.) Create Custom Correlation Directive (Cont.) Specify source and destination IP address(es). Specify source and destination ports. Optionally include OTX data. Select rule reliability.
  • 21. Set reliability as absolute or relative value. Inherit settings from parent rule. Add child rule. Task 3: Create Correlation Level 2 Rule Create Custom Correlation Directive (Cont.) Process of adding second rule is similar to adding the first one. Option to inherit source and destination IP addresses and ports from a parent rule.
  • 22. Task 3: Create Correlation Level 2 Rule (Cont.) Create Custom Correlation Directive (Cont.) Timeout and occurrence values have to be edited after adding the rule. Click the value to edit it.
  • 23. Task 4: Crate Correlation Level 3 Rule Create Custom Correlation Directive (Cont.) The process of adding level 3 rule is the same as when adding level 2 rule. Increase reliability of an event when more occurrences are detected.
  • 24. Task 5: Create Correlation Level 4 Rule Create Custom Correlation Directive (Cont.) Add monitor data source plugin to verify if the service is still up. Other steps are the same as in the previous tasks. Add child rule. Inherit settings from parent rule.
  • 25. Task 5: Create Correlation Level 4 Rule (Cont.) Create Custom Correlation Directive (Cont.) Timeout and occurrence values have different meanings in monitor rules. Click the value to edit it.
  • 26. Task 6: Restart Server Create Custom Correlation Directive (Cont.) Changes are applied by restarting the server. Restarting the server stops the correlation process. Restart server.
  • 27. Resulting XML File Create Custom Correlation Directive (Cont.) <directive id="500003" name="DoS attack to NetBIOS" priority="2"> <rule type="detector" name="Established connections" from="ANY" to=„10.177.76.249" port_from="ANY" port_to="139" from_rep="true" from_rep_min_pri="3" from_rep_min_rel="3" reliability="0" occurrence="1" plugin_id="1636" plugin_sid="106102"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="100" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="1000" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="monitor" name="Service up" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+6" occurrence="1" time_out="1" plugin_id="2008" plugin_sid="2"/> </rules> </rule> </rules> </rule> </rules> </rule> </directive>
  • 28. Best Practices Create Custom Correlation Directive (Cont.) Directives should not always generate alarms • Use reasonable priority and reliability values to ease incident management Use the existing directives to: • Learn how directives are configured • Adopt them to your environment and needs Look for multiple types of events: • Bad authentication types • Discarded packets due to different violations
  • 29. USM Sizing Examples Multiple locations with less than 2500 EPS Enterprise deployment • Many locations Logger Single location with less than 1000 EPS
  • 30. Customer Sizing Examples Single location with less than 1000 EPS Multiple locations with less than 2500 EPS Enterprise deployment • Many locations Logger
  • 31. 888.613.6023 ALIENVAULT.COM CONTACT US HELLO@ALIENVAULT.COM Weekly Threat Intelligence update summaries are posted in the AlienVault forum here Hands-on 5-day training classes delivered in- person or “live on-line” • Email training@alienvault.com for more info Subscribe to the AlienVault blogs for more info on emerging threats and security best practices

Editor's Notes

  1. Welcome, thanks for joining – My name is Garrett Gross, Sr Tech PMM @ AlienVault. We wanted to take some time to talk about the recent bash shell exploit (known as “shellshock”). Understandably, there is a lot of confusion surrounding the shellshock vulnerability, how attackers are exploiting this vulnerability, and how to protect yourself against it. But first – I’d like to tell you a bit about AlienVault.