8 Replies Latest reply on Aug 18, 2016 10:18 AM by xded

    Increas Event Severity from Network

    xded

      Hi i want that each Event that came from a network address like 192.168.0.0/24 become a higher Severity + 20% than before. Is this possible with the SIEM or not? I'm happy for any help. =)

        • 1. Re: Increas Event Severity from Network
          acommons

          You can assign asset criticality scores in the Asset Manager on a per asset basis. This can be used in selective risk reporting. This may help you....depends where you want to go with it.

          1 of 1 people found this helpful
          • 2. Re: Increas Event Severity from Network
            xded

            No Sorry this is not what i want.

             

            I want change the Severity for each Event on the Network address. If one have this network address this event should have a higher Severity as the same Event without the network address.

            • 3. Re: Increas Event Severity from Network
              syed_rizvi

              xded You can accomplish this in two steps.

              1. Create a Zone that contains 192.168.x.x network.

              2. Create a Correlation rule that matches the Source zone and increase the severity to your desire number.

               

              Hope this helps.

               

              Thanks,

              Syed Rizvi

               

               

              1 of 1 people found this helpful
              • 4. Re: Increas Event Severity from Network
                acommons

                You can also adjust severity in the parser (ASP rules at least) based on a Severity value in the parsed data. This may be worth exploring if you only have a few specific events of interest but if you just want a blanket uplift regardless of the device or the event this will not be viable.

                • 5. Re: Increas Event Severity from Network
                  xded

                  Hi Syed Rizvi,

                   

                  this isn't possible. Because you cant setup a Zone for a network address. You can setup a Zone that contains Assets but this isn't what i want.

                   

                  Hi Acommons,

                   

                  this is possible but not applicable because we should change all parser for this. And this is a work of pain because we have more that 100 network subnets.

                  • 6. Re: Increas Event Severity from Network
                    acommons

                    Are you sure that using Assets or Tags in conjunction with Severity Weights (click the Scales icon in the Policy Editor) won't solve this for you?

                     

                    The devil is in the detail but this seems to offer a way forward.

                    • 7. Re: Increas Event Severity from Network
                      syed_rizvi

                      Hi xded

                       

                      Why not? this is what I would do:

                      1. Go to Zone Management, create a new Zone (ex..Hi-Severity Zone), give it a Geo location, Start and End IP(192.168.10.x) and apply to data sources where you expect this traffic to come from. Now this will populate "Source Zone" field on all events coming from 192.168.10.x with "Hi-Severity"

                      2. Create a correlation rule with high severity and capture events that have Source Zone = Hi-Severity.

                       

                      The asset based solution thatacommons suggested will also work give you adjust the severity weight. However, it assumes that all devices that would be coming from 192.168.10.x are already present in assets.

                      1 of 1 people found this helpful
                      • 8. Re: Increas Event Severity from Network
                        xded

                        Thank your for your help i didn't know that i can setup an start and end IP on a Sub-Categroy. This will help a lot.