SIEM Use Case: Situational Awareness

Version 2

    1. Table of Contents

    2. Introduction

    In many environments, it is useful to have a single view that is used to gain a high-level summary of suspicious activity occurring within a network. Putting this information within a single view grants information security resources and analysts the following benefits:

    • Important actionable intelligence at a glance
    • A logical workflow for reviewing suspicious activities
    • Rapid insight into any suspicious communications involving a companies Trusted and Critical systems

     

    In this example use case, we will go through the exercise of building out a basic set of customized content to accomplish these goals in the McAfee SIEM. By seeing the different processes involved in implementing a use case like this, you will gain a better understanding of how you can customize your own SIEM environment to meet your own needs.

    12SitAwarePopView.png

    Example Situational Awareness Dashboard

     

    When complete, we will have a single view that provides detailed summary data around suspicious communications within our enterprise network, as well as specific actionable details related to our most critical hosts.

     

    3. Prerequisites

    In order to complete the Situational Awareness use case, the following items are required.

     

    3.1 Data Sources

    The concept of Situational Awareness can mean many things. In our example use case, we will focus on a few common, important data sources of various types, including:

      • IPS/IDS
      • Firewalls and other devices that can provide perimeter and scan detection functionality
      • McAfee Global Threat Intelligence
      • 3rd party threat intelligence feeds, if desired

     

    4. Configuration and Build-out

    With the prerequisites out of the way, we can start building the use case within the McAfee ESM.

    4.1 Watchlists

    The first step we’ll take is to build a series of watchlists, which will serve as the foundation for our views, reports and correlation rules. Each of these lists will have a unique name, but will otherwise have identical properties.

     

    Watchlist 1: Restricted IPs

    This watchlist will contain any IPs that you will define as malicious or suspicious, based on your local experience. We’ll use this to augment threat intelligence feeds such as McAfee Global Threat Intelligence and 3rd party threat feeds. It will be used as a local blacklist.

      • Watchlist Type: Static
      • Data Type: IP Address

     

    Watchlist 2: Trusted Systems

    This watchlist will contain the IPs of hosts that you consider to be "trusted" to perform actions that might be considered suspicious by your IPS/IDS and would normally generate false positives. Examples of these are vulnerability scanner, backup servers, etc. It will be used as a local whitelist.

      • Watchlist Type: Static
      • Data Type: IP Address

     

    Watchlist 3: Critical Systems

    This watchlist will contain the IPs of hosts that are considered critical to your business' operation. Hosts on this list will receive extra inspection on our Situational Awareness dashboards.

      • Watchlist Type: Static
      • Data Type: IP Address

     

    Other Watchlists

    In the remainder of this document we'll use the above watchlists, combined with McAfee GTI watchlists to highlight noteworthy behaviors. You may consider incorporating other watchlists such as threat intelligence from 3rd parties.  See SIEM Foundations: Threat Feeds for a discussion on incorporating 3rd party threat feeds into your McAfee SIEM.

     

    Once your watchlists are defined, populate them with appropriate values.

     

    4.2 Correlation Rule(s)

    Next we will go through the exercise of creating a simple custom correlation rule. This rule will track all suspicious activity relating to systems on the Critical Systems watchlist, and correlates them into a single event category for easy tracking.

     

    To create our custom correlation rule:

      1. To begin, click the "Correlation" icon CorrelationIcon.png on the top right of the screen to open the Correlation Policy Editor, and select "New > Correlation Rule".
        2CorrelationRule.png
      2. In the Name field enter Suspicious Activity with Critical Systems.
      3. Set the Severity field to 75.
      4. Click the 3NormalizationIcon.png  icon next to the Normalization ID field, select Suspicious Activity from the category list and click OK.
      5. Click the 4GroupByIcon.png  icon to the right of the Group By field.  When the Group By window opens, click on the Destination IP contained in the list to the left then click the right arrow 5rightarrowicon.png  icon to add it to the field on the right.
      6. From the field on the left, locate and find the Source IP criteria then click the right arrow 5rightarrowicon.png  icon again to add it to the field on the right.
      7. Click OK to close.
      8. Once you have the basic parameters for the rule configured as described above, set the rule logic as shown below.  This rule will trigger when we see interactions between systems on your "Critical Systems" watchlist and known suspicious hosts.

        The definition of "known suspicious hosts" in the example below is defined by the following watchlists:
        • GTI Malicious IPs (standard McAfee watchlist)
        • GTI Suspicious IPs (standard McAfee watchlist)
        • Restricted IPs (custom watchlist, defined above)

    You might choose to add or remove additional watchlists to this rule, depending on what you have available in your environment.

    6CorrelationRuleScreen.png

    When you save this rule, pay close attention to the signature ID (47-6000xxx).  We will use it elsewhere in this use case.

     

    4.3 View(s)

    Now that we have created our watchlists and our correlation rule, it's time to put them to work. We are going to create a new view, which we'll monitor to gain awareness of whats going on in our environment. The view we'll use is made up of 13 individual queries. The screenshot below shows the general layout of the Situational Awareness view.

    12SitAwarePopView.png

    To begin, create a new blank view. From the main ESM GUI click the "Create New View" 8CreateNewViewIcon.png  icon located in the top left of the middle display. A new blank view will appear with a "View Editing Toolbar" at the top.
    9ViewEditingToolbar.png

    We can now start populating our blank view with workflow sections.  For each section, you'll follow a similar process:

    • Drag in a "Title Component" 10TileIcon.png  icon onto the blank work area, and size/configure it to match the view shown above.
    • Drag in series of "Bar Chart" 11BarChartIcon.png  queries onto the work area, and configure as described below.

     

    Section 1: Outbound Communications To Known Threat Hosts

    This set of queries highlights internal systems that are communicating outbound with suspicious external systems.  The first two queries show the individual events categories and the internal IPs associated with these events.  The last query filters to show only communications from systems that we have identified as critical (via the Critical Systems watchlist)


    All Connections To known bad hosts

    Internal Source IPs

    From Critical Systems

    Query: Average Event Severity

    Filter: Dest IP:  On any of our suspicious watchlists

    Query: Source IPs

    Filter: Signature ID:  "Bind to All Connections to known bad hosts"

    Query: Source IPs

    Filter: Signature ID:  "Bind to All Connections to known bad hosts"

    Filter: Source IP: Critical Systems watchlist.


    Section 2: Inbound Communications from Known Threat Hosts

    This set of queries highlights suspicious external systems that are engaging with inbound communication with our own enterprise systems.  The first two queries show the individual events categories and the internal IPs associated with these events.  The last query filters to show only communications from systems that we have identified as critical (via the Critical Systems watchlist)


    All Connections from known bad hosts

    Targeted internal IPs

    Targeted Critical Systems

    Query: Average Event Severity

    Filter: Source IP on any of our suspicious watchlists

    Query: Destination IPs

    Filter: Signature ID:  "Bind to All Connections from known bad hosts"

    Query: Destination IPs

    Filter: Signature ID:  "Bind to All Connections from known bad hosts"

    Filter: Destination IP: on Critical Systems watchlist

     

    Section 3: IPS/IDS Activity + Threat Intelligence

    This section summarizes events that have come from any IDS/IPS devices in your environment.  The first query simply summarizes all the IDS/IPS events.  The second applies a filter to show only events associated with suspicious external entities.  The final one applies an additional filter to show critical internal systems that have been targeted, if any.


    All Correlated IDS/IPS Summary

    Correlated IDS/IPS with Threat Intelligence

    Targeted Critical Systems

    Query: Average Event Severity

    Filter: Device Type ID: Class IDS-IPS

    Query: Average Event Severity

    Filter: Signature ID: "Bind to All Correlated IPS/IDS Summary"

    Filter: Source IP on any of our suspicious watchlists

    Query: Destination IPs

    Filter: Signature ID: "Correlated IDS/IPS with Threat Intelligence"

    Filter: Destination IP: Critical Systems watchlist

     

    Section 4: Trusted Systems Activity

    We will leverage this section to keep an eye on systems that we have identified as "trusted".  We'll start on the right side with a summary of IDS/IPS activity associated with trusted systems.  The second query shows the related trusted IP addresses.  The final shows any related target IPs that are flagged as critical IPs.  If there are "Trusted Systems" that are seen by the IDS/IPS to be attacking business critical systems, this is certainly something that's critical to understand!


    Activity from Trusted Systems

    Trusted Systems IPs

    Targeted Critical Systems

    Query: Summary

    Filter: Device Type ID: Class IDS-IPS

    Filter: Source IP: Trusted Systems watchlist

    Query: Source IPs

    Filter: Signature ID: "Bind to Activity From Trusted Systems".

    Query: Destination IPs

    Filter: Signature ID: "Bind to Activity From Trusted Systems"

    Filter: Dest IP: Critical Systems watchlist

     

    Section 5: Critical Systems Activity (small section on right)

    Finally, we will include a view element that highlights hits on the correlation rule we created earlier.


    Critical Systems Activity

    Query: Average Event Severity

    Filter: Signature ID: "47-6000xxx" (match your sig ID for the correlation rule you created)

     

    4.4 Report(s)

    In addition to our view, it is handy to create a report that may be used to provide data outside of the ESM. This can be useful for providing regular summary data to interested parties.  This section covers how to build a report that captures the information contained within the view we created earlier but over 7 days instead of the default 24 hours.

     

    To begin, open "System Properties/Reports" and click Add to define a new report.  In the "Add Report" window we want to add the following information:

      1. Enter a name and description for this report.
        Report Name = "Situational Awareness – 7 Days"
      2. When do you want this report to run?
        Condition = "Manual" (Feel free to schedule this to your liking)
      3. (Optional) What time zone do you want to use to run the queries for this report?
        Leave these as the defaults unless you have a need to change them.
      4. How would you like this report delivered?
        Format = "Report PDF"
        Email sent to users or group = Checked
        Send To = Click "Add Recipient" to add your desired email address.
      5. Filters: Time Range = Click the 13TimeRangeIcon.png  icon to the left of the "Time Range" field. On the "Custom Time" pop-up, select "Select a custom time frame." Set it to "[Last]  [7]  [Days]" and click OK.

     

    We will now start populating our blank report template. Click Add to create a new report layout. We'll create 5 sections. For each section, you'll follow a similar process:

        • Drag in a "Title Component" 10TileIcon.png  icon onto the blank work area, and size/configure it to match the view shown above.
        • Drag in series of "Bar Chart" 11BarChartIcon.png  queries onto the work area, and configure as described below. (Note that section 5 will include a single table, not a bar chart).


    14ReportTemplate.png

    Section 1: Outbound Communications To Known Threat Hosts

    Top 20 Connections to Threat hosts

    Top 20 Internal Source IPs

    Query: Average Event Severity

    Filter: Dest IP:  On any of our suspicious watchlists

    Query: Source IPs

    Filter: Dest IP:  On any of our suspicious watchlists

     

    Section 2: Inbound Communications from Known Threat Hosts

    Top 20 Inbound Connections from Threat Hosts

    Top 20 Targeted Internal IPs

    Query: Average Event Severity

    Filter: Source IP on any of our suspicious watchlists

    Query: Destination IPs

    Filter: Source IP on any of our suspicious watchlists


    Section 3: IPS/IDS Activity + Threat Intelligence

    Top 20 IDS/IPS Activities

    Top 20 IDS/IPS Activities + Threat Intelligence

    Query: Average Event Severity

    Filter: Device Type ID: Class IDS-IPS

    Query: Average Event Severity

    Filter: Device Type ID: Class IDS-IPS

    Filter: Source IP on any of our suspicious watchlists

     

    Section 4: Trusted Systems Activity

    Top 20 Suspicious Activities from Trusted Systems

    Trusted Systems IPs

    Query: Summary

    Filter: Device Type ID: Class IDS-IPS

    Filter: Source IP: Trusted Systems watchlist

    Query: Source IPs

    Filter: Device Type ID: Class IDS-IPS

    Filter: Source IP: Trusted Systems watchlist

     

    Section 5: Critical Systems Activity

    Critical Systems Activity
    • Table Query: Events
    • Filter: Signature ID: "47-6000156" (match your sig ID for the correlation rule you created)

     

    Once you have created your report template, save it, and then save your report configuration.  Select your report and click Run Now to create a sample for review.

     

    5. Concept of Operations

    Now that the use case build-out is completed, we can begin using it for daily operations.

     

    • Much of this use case is driven by the watchlists defined in Section 4.1 above.  It is critical to this use case that these watchlists be populated with IP addresses that are relevant within your environment.
    • Regularly monitor the Situational Awareness view.  It will expose behavior patterns to you, and help you to get an intuitive understanding of normal and abnormal behaviors.
    • Keep a particularly close eye on the panels toward the right side of the view.  These represent likely attacks on your most critical systems, and merit immediate attention.

     

    6. Going Further

    Events related to your Critical Systems are excellent candidates for investigation and incident management.