cancel
Showing results for 
Search instead for 
Did you mean: 
xded
Level 12

Increas Event Severity from Network

Jump to solution

Hi i want that each Event that came from a network address like 192.168.0.0/24 become a higher Severity + 20% than before. Is this possible with the SIEM or not? I'm happy for any help. =)

0 Kudos
1 Solution

Accepted Solutions
syed_rizvi
Level 10

Re: Increas Event Severity from Network

Jump to solution

Hi

Why not? this is what I would do:

1. Go to Zone Management, create a new Zone (ex..Hi-Severity Zone), give it a Geo location, Start and End IP(192.168.10.x) and apply to data sources where you expect this traffic to come from. Now this will populate "Source Zone" field on all events coming from 192.168.10.x with "Hi-Severity"

2. Create a correlation rule with high severity and capture events that have Source Zone = Hi-Severity.

The asset based solution that​ suggested will also work give you adjust the severity weight. However, it assumes that all devices that would be coming from 192.168.10.x are already present in assets.

0 Kudos
8 Replies
acommons
Level 10

Re: Increas Event Severity from Network

Jump to solution

You can assign asset criticality scores in the Asset Manager on a per asset basis. This can be used in selective risk reporting. This may help you....depends where you want to go with it.

0 Kudos
xded
Level 12

Re: Increas Event Severity from Network

Jump to solution

No Sorry this is not what i want.

I want change the Severity for each Event on the Network address. If one have this network address this event should have a higher Severity as the same Event without the network address.

0 Kudos
acommons
Level 10

Re: Increas Event Severity from Network

Jump to solution

You can also adjust severity in the parser (ASP rules at least) based on a Severity value in the parsed data. This may be worth exploring if you only have a few specific events of interest but if you just want a blanket uplift regardless of the device or the event this will not be viable.

0 Kudos
syed_rizvi
Level 10

Re: Increas Event Severity from Network

Jump to solution

​ You can accomplish this in two steps.

1. Create a Zone that contains 192.168.x.x network.

2. Create a Correlation rule that matches the Source zone and increase the severity to your desire number.

Hope this helps.

Thanks,

Syed Rizvi

0 Kudos
xded
Level 12

Re: Increas Event Severity from Network

Jump to solution

Hi Syed Rizvi,

this isn't possible. Because you cant setup a Zone for a network address. You can setup a Zone that contains Assets but this isn't what i want.

Hi Acommons,

this is possible but not applicable because we should change all parser for this. And this is a work of pain because we have more that 100 network subnets.

0 Kudos
acommons
Level 10

Re: Increas Event Severity from Network

Jump to solution

Are you sure that using Assets or Tags in conjunction with Severity Weights (click the Scales icon in the Policy Editor) won't solve this for you?

The devil is in the detail but this seems to offer a way forward.

0 Kudos
syed_rizvi
Level 10

Re: Increas Event Severity from Network

Jump to solution

Hi

Why not? this is what I would do:

1. Go to Zone Management, create a new Zone (ex..Hi-Severity Zone), give it a Geo location, Start and End IP(192.168.10.x) and apply to data sources where you expect this traffic to come from. Now this will populate "Source Zone" field on all events coming from 192.168.10.x with "Hi-Severity"

2. Create a correlation rule with high severity and capture events that have Source Zone = Hi-Severity.

The asset based solution that​ suggested will also work give you adjust the severity weight. However, it assumes that all devices that would be coming from 192.168.10.x are already present in assets.

0 Kudos
xded
Level 12

Re: Increas Event Severity from Network

Jump to solution

Thank your for your help i didn't know that i can setup an start and end IP on a Sub-Categroy. This will help a lot.

0 Kudos