8 Replies Latest reply on Sep 8, 2016 6:20 PM by eM Ka

    SIEM Variable - Domain

    penoffd

      I'm looking for some clarification as to the domain variable, as I have not been able to find anything in the documentation that clearly defines its use.

       

      Should the domain variable be the FQDN of the environment, that is, if our business was xyz.com it would be "xyz.com"?

       

      Or/and, should our Active Directory domain be in this variable as well, say if it was xyz.ad?

       

      I'm trying to do some rule tuning/cleanup, and I am trying to understand how this variable works with different rules.

        • 1. Re: SIEM Variable - Domain
          andy777

          Where do you see the domain variable? I looked in the Policy Manager under variables. Are there any rules that reference it? Thanks.

          • 2. Re: SIEM Variable - Domain
            penoffd

            Right here in the Policy Editor:

             

             

             

            And yes, there are rules that we use that reference it.  A custom correlation rule based on "Windows Authentication - Administrator Account Logon on Vista-2008 or Later

            Signature ID: 47-8000034" is one of them, for example.

             

            Nice avatar!

            • 3. Re: SIEM Variable - Domain
              eM Ka

              Hi,

               

              The easiet way to achieve that is do a drill down to a domain field in the current logs - check that and then use the same structure.

              Im sure that you have already some entries...

               

              Regards

              MK

              • 4. Re: SIEM Variable - Domain
                penoffd

                We determined that the original configuration, which was performed on the original Nitro device that we installed in 2009, was incorrect.  As a result of this configuration the only domain variable used was for our outward facing traffic.  While there may have been a reason for this at the time, no one involved with the deployment is still around and there is nothing documenting the configuration to determine the reasoning for doing this.

                 

                In order to properly configure the system, we have added our internal Active Directory domain to the variable in order to reflect internal traffic.  We'll monitor rules and alarms to see if there is a noticeable difference or if correlation rules or alarms begin to fire as a result of the change.

                • 5. Re: SIEM Variable - Domain
                  rth67

                  What version are you on?

                  We have two different SIEM's (X6 and X4) both are on 9.5.2 - I do not show a "Domains" list in the Variables...

                  • 6. Re: SIEM Variable - Domain
                    penoffd

                    We are currently on 9.6 MR1.

                     

                    That being said the Domains variable has been in the system for several years at least.  It's quite possible we added it during initial configuration when the original Nitro system was installed.

                    • 7. Re: SIEM Variable - Domain
                      rth67

                      Interesting, as we have 2 different SIEM instances, one was stood up in mid-2012, the other in early 2014, neither of which have a folder for "Domains" listed in the Variables.

                      We have a Pro-Services engagement (Health Check) later this month, I will inquire while they are here.

                      • 8. Re: SIEM Variable - Domain
                        eM Ka

                        Hi,

                         

                        Just to answer to your questions:

                         

                        I'm looking for some clarification as to the domain variable, as I have not been able to find anything in the documentation that clearly defines its use.

                        You will not find anything in the documentation because this is only custom variable (unless you mean a documentation from the installation )

                         

                        Should the domain variable be the FQDN of the environment, that is, if our business was xyz.com it would be "xyz.com"?

                        Or/and, should our Active Directory domain be in this variable as well, say if it was xyz.ad?

                         

                        It depends.... if you want to monitor - for example a web traffic to/from a specific web domain you can use value from the screenshot (hillsboroughcounty.org), if you want to monitor traffic to/from some specific directory service you can use fqdn - but in my opinion you should try to use dynamic watchlist with all entries connected with the domain short name.

                         

                         

                        In order to properly configure the system, we have added our internal Active Directory domain to the variable in order to reflect internal traffic.  We'll monitor rules and alarms to see if there is a noticeable difference or if correlation rules or alarms begin to fire as a result of the change.

                        To monitor internal or external traffic you should use a HOME_NET variable in network category.

                         

                        Regards

                        MK