Creating Correlation custom rules with the Correlation Rule Builder
EventLog Analyzer comes equipped with a custom correlation rule builder, which allows you to form custom rules easily by combining various network actions, and specifying the threshold limits and filter criteria as per expected attack patterns in your organization. This enables you to create a highly flexible and powerful rule set that suits your specific organizational environment.
To open the correlation rule builder, click on the Correlation tab of the product. Click on Manage Rules on the top right of the tab and select +Create Correlation Rule on the top right. Creating a custom rule involves:
To know more about what correlation is, how correlation rules are structured, and more, see Understanding correlation.
To create correlation rules, select one or more actions from the following groups:
- General Events
- MITRE ATT&CK TTP(S)
- Custom Actions
Building a new rule
To build a new rule, follow the below steps:
- Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.
- You can also search for actions using the search bar on top of the list.
- You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon () on its right.
- To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and enter the number of occurrences and time interval.
- For each action, specify the time interval within which it is to be followed by the next action, under the 'Followed by within' label. You can specify the time interval in seconds or minutes by using the provided dropdown.
- To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.
Each action in a correlation rule corresponds to a log. Logs contain various fields, and each field has a specific value. With advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the log/action, specify a threshold limit on the minimum number of repetitions of the action, and also bunch the filter criteria into groups, which can be used to create rules for complex scenarios.
- You can select a filter field from the dropdown list provided. It is to be noted that the filters provided in the dropdown may vary based on the action selected.
- From the dropdown list provided, you can select the comparison type as one among the following: equals, contains, starts with, ends with, less than, greater than, between, is malicious, not equals, not contains, not starts with, not ends with, not between, link to, is constant, or is variable.
Note: When you provide more than one value for an equals comparison, the set of values provided are treated as a list of possible values and the action is accepted if any one value from the list is true. The same holds true for the contains, starts with, ends with, less than, greater than, and between comparisons.
When you provide more than one not equals comparison, the set of values provided need to hold true for the action to be accepted. The same holds true for the not contains, not starts with, not ends with, and not between comparisons.
Less than, greater than, between, and not between conditions are applicable only for IP, port number, and privilege fields.
Port range is between 0 and 65535.
Privilege range is between 1 and 15.
The link to comparison type is used to check the value of the selected field against the value of a field in another action (belonging to the same rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the same.
When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.
Click the check box corresponding to the field of the second action against which you want to compare the value of the previous action. Click OK to complete linking the two actions.
Note: Using the link to condition, you cannot link a field to another one having the is variable condition.
The is constant condition is used to treat the specific field as constant. When you select this condition, this action will get triggered when the field's value remains constant in all the iterations. For instance, if the is variable condition is applied for the 'Target User' field in an action, the action would get triggered when the value of this field is the same in all iterations. The action doesn't get triggered if events get generated with different values for that field.
The 'is variable' condition is used to treat a field as a variable. When you select this condition, this action will get triggered when the field's value keeps changing each time it is checked. For instance, if the is variable condition is applied for the 'Target User' field in an action, the action would get triggered when the value of the field is different in each iteration.
Note: A field having the is variable condition cannot be linked to another one using the link to condition.
The 'is malicious' condition is available only for IP address fields. It can be used to check if the detected IP address is present in the predefined list of malicious IP addresses that the product has stored in the internal database.
- Values which are to be compared against the selected field can be provided directly in the textbox. Specify the value to be checked for, in the corresponding textbox.
- To add another filter to the same log/action, click the icon on the right side of the value textbox. The new filter gets added on the next line.
- You can choose if the two filters are to be logically ANDed or ORed with the previous one, by selecting AND or OR from the dropdown list present on the left side of the second filter.
- You can delete a filter by clicking on the icon on its right.
- Filters can be collected together by creating groups. This would help to create correlation rules for complex scenarios. To create a new group, click +Add group on the bottom right corner of a log/action.
- Select the criteria for the filter in the new group. You can also add more filters to the new group.
- You can delete a group by clicking the Remove group icon on the top right of the group.
- You can choose if two groups are to be logically ANDed or ORed, by selecting AND or OR from the dropdown list present between the two groups.
Threshold limit filter
A threshold limit filter for an action allows you to specify the minimum number of times the action has to occur (within the time window specified for the action to follow from the previous action), for the rule to be triggered. To set a threshold limit, click on the Filters link on the right of the action, and select the Threshold Limit checkbox. In the text box provided, specify the minimum number of occurrences.
Note: If the action is the first action in the rule, then you should also provide a time window within which the repetitions have to be observed (as it is the first action and there is no preceding action or time window).
Specifying rule configurations
Along with the rule definition, you can also provide some descriptive information to finish configuring the rule:
- Rule name: A unique name for the rule.
- Rule description: A short explanation describing the attack pattern that the rule checks for.
Click Save to save these rule configurations.
Once you have built the rule pattern and specified the configurations, click Create so that the rule gets saved and EventLog Analyzer can start correlating logs to check for this rule pattern.
You can now choose what report will be displayed by clicking on the check box. The selected report will be displayed or hidden from the Correlation Custom Rules Screen.
Create Custom Action
- To create a Custom Action, click on Manage Custom Actions.
- The manage custom actions popup will open. In the top right corner, click on the "create new action" button.
- The Create Custom Action popup will open.
- Enter the name for the action, action description (if required).
- Choose from the drop downs provided to set the criteria for the action.
- Click on Create.
MITRE Correlation Actions
You can now create correlation rules utilizing the available correlation actions for Mitre ATT&CK TTP(s).
Click here to know more about MITRE ATT&CK TTP(s).