cancel
Showing results for 
Search instead for 
Did you mean: 
abanaru
Level 11

Risk Correlation for Domain Admins

Jump to solution

Hello,

I'm currently in the process of creating a risk correlation rule for the members of "Domain Admins" AD group and I'm facing some issues.

I start by creating a Data Enrichment which looks for the Source User in my AD and adds Scoring to some accounts.

1.PNG

2.PNG

3.PNG

4.PNG

5.PNG

So far so good. The Field "Is_Domain_Admin" is added to each event generated by my AD data source which contain accounts from "Domain Admins".

I then go my ACE and add a Risk Correlation Manager:

6.PNG

7.PNG

8.PNG

I've chosen to correlate on Source User and the risk score to be calculated by taking 80% of the "Source User" scoring, plus 20% of each event's severity.

The default severity for the rule "43-263046250" - "An account failed to log on" is 53 but because I've increased the severity in my data enrichment the value will be 69. So this means that a failed log on should give us a value of 20% of 69 which gives us 14, and adding it to 80, we get a score value of 94.

After three failed logons the minor threshold should trigger and so on...

This is my theory but in practice this does not work :-)

I've made some tests and my feeling is that the scoring from the data enrichment is not added to the total risk score because if I put 80% on severity and 20% on Source User the rule triggers faster than before.

Anyone has any hints on this ?

Much appreciated,

Andrei

0 Kudos
1 Solution

Accepted Solutions
abanaru
Level 11

Re: Risk Correlation for Domain Admins

Jump to solution

I've managed to make it work. It was very stupid of me assuming that the score will be added by default to the event.

In fact you need to go to ACE Properties | Risk Correlation Scoring and activate there the scoring for the field based on your enrichment source.

123.PNG

There might be bug here because I can't uncheck the Use Score box.

Anyway, I've discarded the use of a data enrichment as a Risk Source Type and generated a dyn watchlist where I'm querying for Domain Admins in AD and assign a score to them. The cool thing is that in the risk correlation scoring wizard you can add filters as well and for example I'm scoring only on Event Subtype = failure.

0 Kudos
11 Replies
paul.k
Level 10

Re: Risk Correlation for Domain Admins

Jump to solution

I am just venturing a guess, but I suspect enrichment and correlation happen either in parallel or too close together and it is possible the correlated event has not yet been enriched.

Notice how you can't perform contains or regex on many fields in the ACE

I have also noticed that data is treated differently by the ACE than by the ESM and same search patterns can produce different results. ( at least that's what support has told me, they could elaborate on why)

Good luck let us know if you work this out.

0 Kudos
abanaru
Level 11

Re: Risk Correlation for Domain Admins

Jump to solution

I don't think that's the case because data enrichment happens on the receiver if I may quote Scott on this topic and then, the ESM pulls them from the ERC. After that the ACE is using these events from the ESM to make correlations.

Right now a workaround is to increase the severity of the events that match the enrichment and that way I can make the risk correlation work but I'm still working on the main idea.

0 Kudos
abanaru
Level 11

Re: Risk Correlation for Domain Admins

Jump to solution

I've managed to make it work. It was very stupid of me assuming that the score will be added by default to the event.

In fact you need to go to ACE Properties | Risk Correlation Scoring and activate there the scoring for the field based on your enrichment source.

123.PNG

There might be bug here because I can't uncheck the Use Score box.

Anyway, I've discarded the use of a data enrichment as a Risk Source Type and generated a dyn watchlist where I'm querying for Domain Admins in AD and assign a score to them. The cool thing is that in the risk correlation scoring wizard you can add filters as well and for example I'm scoring only on Event Subtype = failure.

0 Kudos
abanaru
Level 11

Re: Risk Correlation for Domain Admins

Jump to solution

Anyone ?

0 Kudos
acommons
Level 10

Re: Risk Correlation for Domain Admins

Jump to solution

What are your severity weight settings (click the little scales icon at the top right of the policy editor dialogue).?

This can change the severity of events behind the scenes.

0 Kudos
abanaru
Level 11

Re: Risk Correlation for Domain Admins

Jump to solution

The weights influence only the final severity of the event, not the risk scoring afaik.

Right now they are 100% to rules, 0% for assets, vulnerability and tags.

0 Kudos
acommons
Level 10

Re: Risk Correlation for Domain Admins

Jump to solution

But you are using severity in your risk scoring. 100% rules should mean no hidden manipulation. Do you have aggregation turned off for the rule?

0 Kudos
abanaru
Level 11

Re: Risk Correlation for Domain Admins

Jump to solution

Aggregation is turned off for all authentication related rules because I did't know how that would influence the risk (I guess it would work the same, basically it would multiply the severity with the number of occurrences to obtain the risk value).

What do you mean by 100% rules = no hidden manipulation ?

Regarding that blog post, I came upon it a while ago and while it's working for that example it does not include the data enrichment unfortunately :-(

0 Kudos
acommons
Level 10

Re: Risk Correlation for Domain Admins

Jump to solution

Aggregation can hide things from the ACE.

100% Rules means you do not have to dig through asset, tags, vulnerability settings to figure out what the severity value is going to be. What you see in the rule is what you get.

I'm not sure how enrichment plays with risk - the only link is the word 'score', but see below.

Note I don't have an ACE I can play with and it's been a couple of years since I tried this stuff.

This may help...from the ESMI 9.1.0 User Guide. There is a bit more in there as well, it's also in the 9.2 User Guide...look for the old ones on the McAfee web site.

4.2.2.11Risk Correlation Scoring

The Risk Correlation Scoring dialog allows you to add scoring conditional statements based on a

risk field that contains a certain value that then makes a defined score for a target risk field. Each

row in the grid is a single IF THEN conditional statement. These scoring conditions are global in

nature and can be overwritten by a Risk Correlation manager's fields and/or filters. Scoring is

updated every 10 minutes.

The Risk Correlation Scoring dialog allows you to add, edit, and remove scores as well as write the

scores to the device.

Add a Risk Correlation Score

To add a score to the Risk Correlation Score table, do the following:

1. Access the Risk Correlation Scoring dialog (ACE Properties > Risk Correlation Scoring).

2. Click on Add. The Add Risk Correlation Score dialog opens.

3. The Source Field drop-down list contains all the possible fields against which a value can be

compared. Select the desired field.

4. In the Value in field, select the type of value that will be compared.

5. In the Value field, select the comparing value. The options available in this field will vary

based on the type of value you selected in the Value in field. If you want to add values so

they can be selected in this field, refer to the following sections:

Asset Group

Enrichment Source

Variable

Watchlist

If you selected Static Value in the Value in field, type in the comparing value.

6. On the Target Field drop-down list, select the field that will receive the score if the

comparison is true.

7. In the Score fields, enter the minimum and maximum score that the target field will receive.

8. Click OK. The conditional statement will be added to the list of Risk Correlation scores.

9. Click on Write to write out all Risk Correlation scores to the device. You will be informed

when the process is complete.

0 Kudos