3 Replies Latest reply on Jul 13, 2015 2:13 PM by penoffd

    Baseline Correlation Rules

    mitchell2015

      How can one get a listing of the onboard correlation rules that are pre packaged with the SIEM tool ?  This has been asked previously but never answered ?

        • 1. Re: Baseline Correlation Rules
          penoffd

          Have you just opened the Policy editor and looked at the list?

           

          Between this and looking at the normalizations relative to a particular policy rule, that should give you a good idea of what it is and how it works.

           

          On a related note, whenever I create a custom rule based off an existing rul, I keep the rule name but add a prefix that is unique to our custom rules,  It makes it easy to identify them in the dashboards.

           

          Dan

          • 2. Re: Baseline Correlation Rules
            andy777

            No easy way, but here is a list:

             

            ACL - Excessive Firewall/ACL Connections Accepted From Single Host

            ACL - Excessive Firewall/ACL Connections Denied From Single Host

            ACL - Firewall Accept after Recon Event on a Local Host

            ACL or Firewall - Multiple ACL Events to Multiple Hosts that are Blocked

            Attack - Anomalous Activity after Exploit on Local Host

            Attack - Backdoor Event after Buffer-Overflow Activity

            Attack - DNS Changer Activity - Event or Flow

            Attack - Exploit Event after Recon Activity

            Attack - Malware Activity on Local Host

            Attack - Malware Sent from Internal Host

            Attack - Network DoS Activity Detected

            Attack - Possible Botnet DNS connection or Unauthorized DNS Configuration Changes

            Attack - Possible Conficker Worm Activity

            Attack - Possible DDoS Against Single Host - ICMP - Flow

            Attack - Possible DDoS Against Single Host - Other - Flow

            Attack - Possible DDoS Against Single Host - TCP - Flow

            Attack - Possible DDoS Against Single Host - UDP - Flow

            Attack - Possible Worm Activity Detected on Internal Network

            Attack - Project Blitzkrieg - Communication with Known Command and Control Server - Events or Flows

            Attack - Successful Host Login after Keylogging Activity - Host

            Attack - Successful Host Login after Keylogging Activity - IP

            Attack - Virus Activity Across Multiple Systems

            Attack - Worm Activity Detected on Local Host

            Component - Events from any Source

            Component - Events to Any Destination

            Component - Events to a Destination Network

            Component - Horizontal Scan from a Single Host to Multiple Destinations

            Component - Normalized Events from a Local System to Multiple Destinations

            Component - Normalized Events from a Remote System to Multiple Local Destinations

            Database - Attempted Database Configuration Change by a Remote Host

            Database - Excessive Database Connections From a Single Source

            Database - Multiple Database Access Attempt Failures

            Database - Possible SQL Injection Activity - Low Severity Queries

            Database - Possible SQL Injection Activity - Query Failure by Destination User

            Database - Possible SQL Injection Activity - Query Failure by Source IP

            Exploit - Remote Access Exploit

            Firewall or ACL - Excessive Firewall and ACL Accepts From Single Host

            GTI - DNS Communication with Malicious Host - Event or Flow

            GTI - IRC Communication with Suspicious Host - Event or Flow

            GTI - Remote Shell Communication with Suspicious Host - Event or Flow

            GTI - Successful Login from Suspicious Host

            GTI - Successful Login to Suspicious Host

            Login - Brute Force Login Attempts against External SSH Service

            Login - Brute Force Login Attempts against Local SSH Service

            Login - Brute Force Login Attempts against RLOGIN Service

            Login - Brute Force Login Attempts against RSH Service

            Login - Brute Force Login Attempts against Telnet Service

            Login - Brute Force Login Attempts from a Single Source

            Login - Brute Force Login Attempts on a Local Host

            Login - Brute Force Login Attempts on an Internal Host from a Single Source

            Login - Multiple Failed Database Admin Login Attempts

            Login - Multiple Failed Database Login Attempts by Destination User

            Login - Multiple Failed FTP Login Attempts Detected to Local Host

            Login - Multiple Failed Login Attempts

            Login - Multiple Failed Login Attempts from Single Source to Multiple Hosts

            Login - Multiple Failed Login Attempts on Local Host

            Login - Multiple Failed VoIP Login Attempts

            Login - Successful Database Login after Multiple Failed Attempts

            Login - Successful Host Login after Brute Force Attempts from a Single Source

            Login - Successful Local Host Login after Brute Force Attempts

            Login - Successful Login after Brute Force Attempts against External SSH Service

            Login - Successful Login after Brute Force Attempts against Local SSH Service

            Login - Successful Login after Brute Force Attempts against RLOGIN Service

            Login - Successful Login after Brute Force Attempts against RSH Service

            Login - Successful Login after Brute Force Attempts against Telnet Service

            Login - Successful Login after Brute Force Attempts from a Single Source

            Login - Successful Login after DoS Activity

            Login - Successful Login after Exploit Activity

            Login - Successful Login after Malware Activity

            Login - Successful Login after Multiple Failed Attempts

            Login - Successful Login after Reconnaissance Activity

            Login - Successful Login after Suspicious Activity

            Login - Successful Login to Local Host after Multiple Failed Login Attempts

            Login - Successful Login to Suspicious Host

            Login - Successful VoIP Login after Multiple Failed Attempts

            MEG/ATD - Email Deferred without Submitting File to ATD

            MEG/ATD - Identical Malicious File Found in Multiple Emails

            MEG/ATD - Malicious Email was Delivered

            Malware - Botnet Activity

            Malware - Traffic with a Passive DNS known Malware Domain

            Malware - Traffic with a known Botnet Bot

            Malware - Traffic with a known Botnet Control Channel

            Malware - Traffic with a known Malware URL host

            Policy - Application Policy Events on a Local Host

            Policy - Chat Policy Events on Local Host

            Policy - Clear Text Application Use Detected To or From a Remote Host - Flow

            Policy - Clear Text Application Use Detected on Local Network - Flow

            Policy - Database Policy Events on a Local Host

            Policy - Gaming Policy Events on a Local Host

            Policy - IP Access Policy Events on a Local Host

            Policy - Mail Policy Events on a Local Host

            Policy - Multiple P2P Connections from Internal Host

            Policy - Off-hours Events from a Local Host

            Policy - Off-hours Events from a Local IP

            Policy - Off-hours Events from a Local Zone

            Policy - Off-hours Events from a Non-Company Geolocation

            Policy - Off-hours Events from a Suspicious Geolocation

            Policy - Off-hours Events to a Local Host

            Policy - Off-hours Events to a Local IP

            Policy - Off-hours Events to a Local Zone

            Policy - Off-hours Events to a Non-Company Geolocation - Events or Flows

            Policy - P2P Policy Events on Local Host

            Policy - Porn Policy Events on a Local Host

            Policy - Remote Access Policy Events on a Local Host

            Policy - Traffic Routed Through a Known Web Proxy Server

            Policy - Traffic from TOR exit node

            Policy - Traffic routed through an IP Based Proxy

            Policy - VoIP Policy Events on a Local Host

            Recon - Application Query Events from a Local Host

            Recon - Application Query Events from a Remote Host

            Recon - DNS Recon Events from a Local Host

            Recon - DNS Recon Events from a Remote Host

            Recon - Database Recon Events from a Local Host

            Recon - Database Recon Events from a Remote Host

            Recon - Detected Anomaly of TCP or UDP Packet Activity from Internal Host

            Recon - ESM Firewall Detected Stealth Scan Activity

            Recon - FTP Recon Events from a Local Host

            Recon - FTP Recon Events from a Remote Host

            Recon - Footprinting Activity Detected Targeting a Local Host

            Recon - Horizontal FTP Scan - Events or Flows

            Recon - Horizontal HTTP Scan - Events or Flows

            Recon - Horizontal HTTPS Scan - Events or Flows

            Recon - Horizontal NETBIOS Scan: Port 137 and 138

            Recon - Horizontal NetBIOS Scan: Port 139 - Events and Flows

            Recon - Horizontal RDP Scan - Events or Flows

            Recon - Horizontal RPC Scan - Events or Flows

            Recon - Horizontal SMB Scan - Events or Flows

            Recon - Horizontal SMTP Scan - Events or Flows

            Recon - Horizontal SNMP Scan - Events or Flows

            Recon - Horizontal SSH Scan - Events or Flows

            Recon - Horizontal Telnet Scan - Events or Flows

            Recon - Host Port Scan Events from a Local Host

            Recon - Host Port Scan Events from a Remote Host

            Recon - Host Query Events from a Local Host

            Recon - Host Query Events from a Remote Host

            Recon - ICMP Recon Events from a Local Host

            Recon - ICMP Recon Events from a Remote Host

            Recon - IP Recon Events from a Local Host

            Recon - IP Recon Events from a Remote Host

            Recon - Mail Recon Events from a Local Host

            Recon - Mail Recon Events from a Remote Host

            Recon - Misc Form of Reconnaissance Events from a Local Host

            Recon - Misc Form of Reconnaissance Events from a Remote Host

            Recon - Multiple TCP Recon Events from a Local Host

            Recon - Network Sweep Activity Detected from a Local Host to Multiple Hosts

            Recon - Network Sweep Activity Detected from a Local Host to Multiple Ports

            Recon - Network Sweep Activity Detected from a Remote Host to Multiple Local Hosts

            Recon - Network Sweep Activity Detected from a Remote Host to Multiple Local Ports

            Recon - Network Sweep Events from a Local Host

            Recon - Network Sweep Events from a Remote Host

            Recon - Other Protocol Recon Events from a Local Host

            Recon - Other Protocol Recon Events from a Remote Host

            Recon - Possible Probing by a Single Source IP

            Recon - RPC Request Events from a Local Host

            Recon - RPC Request Events from a Remote Host

            Recon - Recon Events from a Local Host

            Recon - Recon Events from a Remote Host

            Recon - SNMP Recon Events from a Local Host

            Recon - SNMP Recon Events from a Remote Host

            Recon - SSH Recon Events from a Local Host

            Recon - SSH Recon Events from a Remote Host

            Recon - TCP Recon Events from a Remote Host

            Recon - Telnet Recon Events from a Local Host

            Recon - Telnet Recon Events from a Remote Host

            Recon - UDP Recon Events from a Local Host

            Recon - UDP Recon Events from a Remote Host

            Recon - Web Recon Events from a Local Host

            Recon - Web Recon Events from a Remote Host

            Suspicious - DNS Communication with Malicious Host - Event or Flow

            Suspicious - High Severity Events to a Suspicious Geolocation

            Suspicious - Honeypot Activity Detected

            Suspicious - IDS Evasion From Local Host

            Suspicious - IDS Evasion From Remote Host

            Suspicious - IRC Communication with Suspicious Host - Event or Flow

            Suspicious - Internal Host Logon without Logoff

            Suspicious - Internal IP Login without Logout

            Suspicious - Local Host Communicating with External DNS Server - Flow

            Suspicious - Multiple Errors in TCP/IP Headers from a Local System

            Suspicious - Multiple Errors in TCP/IP Headers from a Remote Host

            Suspicious - Multiple High Severity Events from an Internal Host to and External Host

            Suspicious - Multiple High Severity Events from an Internal Host to another Internal Host

            Suspicious - Multiple High Severity Events to an Internal Host

            Suspicious - Multiple Suspicious Events from a Local Host

            Suspicious - Multiple Suspicious Events from a Remote Host

            Suspicious - Multiple System Malfunction Events on a Local Host

            Suspicious - Potential Communication and Exfiltration - Events or Flows

            Suspicious - Remote Shell Communication with Suspicious Host - Event or Flow

            Suspicious - Successful Login from Suspicious Host

            Suspicious - Successful Remote Login from Foreign Country

            Suspicious - Unusual Destination Port Activity - Flow

            Suspicious - Unusual System Admin Login Activity

            Suspicious - Unusually High Data Transfer Rate from External Network to Internal Host - Flow

            Suspicious - Unusually High Data Transfer Rate from Internal Host to External Network - Flow

            Suspicious - User Logon from Multiple Geolocations

            Suspicious - User Logon from Multiple Hosts

            Suspicious - User Logon from Multiple IP Addresses

            TIE - GTI Reputation Changed from Clean to Dirty

            TIE - Increase in Malicious Files Found Across All Hosts

            TIE - Malicious File (SHA-1) Found on Increasing Number of Hosts

            TIE - Malicious Filename Found on Increasing Number of Hosts

            TIE - Multiple Malicious Files Found on Single Host

            TIE - TIE Reputation Changed from Clean to Dirty

            1 of 1 people found this helpful
            • 3. Re: Baseline Correlation Rules
              penoffd

              Great to see them listed.

               

              You can look through the list and get an idea of what might be your biggest concerns, and enable those rules to start with.  If you don't subscribe to the McAfee Threat Feed service, the TIE and GTI entries won't work, so you can leave them disabled.

               

              Some of these rules will generate a LOT of noise, especially those who in the Recon group, as every time you get port scanned they can go off.

               

              My suggestion would be to pick a subset of rules that look like something you want to be aware of, maybe 5 at a time.  Enable those and watch for a day or two to see if you're getting the desired results.  Once you have an idea of what to expect from a particular set of rules, enable a few more.

               

              As you do this, while it may take a while to get through them all, you'll gradually engage a decent rule set and become better acquainted with the results and alerts, and if the rule(s) are relevant to your environment.  You'll find some that are really noisy, which if still important to you, you can tune to better reflect the results you're looking for.

               

              Unfortunately, there are no "boilerplate" sets of rules that work out of the box.  It's all predicated on what you are looking for and the environments you are monitoring.  Just do a little bit at a time, get familiar with the results, and go forward from there.

              1 of 1 people found this helpful