1 2 Previous Next 11 Replies Latest reply on Nov 5, 2016 3:15 AM by abanaru

    Risk Correlation for Domain Admins

    abanaru

      Hello,

       

      I'm currently in the process of creating a risk correlation rule for the members of "Domain Admins" AD group and I'm facing some issues.

      I start by creating a Data Enrichment which looks for the Source User in my AD and adds Scoring to some accounts.

      1.PNG

      2.PNG

      3.PNG

      4.PNG

      5.PNG

      So far so good. The Field "Is_Domain_Admin" is added to each event generated by my AD data source which contain accounts from "Domain Admins".

       

      I then go my ACE and add a Risk Correlation Manager:

      6.PNG

      7.PNG

      8.PNG

      I've chosen to correlate on Source User and the risk score to be calculated by taking 80% of the "Source User" scoring, plus 20% of each event's severity.

      The default severity for the rule "43-263046250" - "An account failed to log on" is 53 but because I've increased the severity in my data enrichment the value will be 69. So this means that a failed log on should give us a value of 20% of 69 which gives us 14, and adding it to 80, we get a score value of 94.

       

      After three failed logons the minor threshold should trigger and so on...

       

      This is my theory but in practice this does not work :-)

      I've made some tests and my feeling is that the scoring from the data enrichment is not added to the total risk score because if I put 80% on severity and 20% on Source User the rule triggers faster than before.

       

      Anyone has any hints on this ?

       

      Much appreciated,

      Andrei

        • 1. Re: Risk Correlation for Domain Admins
          paul.k

          I am just venturing a guess, but I suspect enrichment and correlation happen either in parallel or too close together and it is possible the correlated event has not yet been enriched.

          Notice how you can't perform contains or regex on many fields in the ACE

           

          I have also noticed that data is treated differently by the ACE than by the ESM and same search patterns can produce different results. ( at least that's what support has told me, they could elaborate on why)

           

           

          Good luck let us know if you work this out.

          • 2. Re: Risk Correlation for Domain Admins
            abanaru

            I don't think that's the case because data enrichment happens on the receiver if I may quote Scott on this topic Data enrichment clarification - where the enrichment field is added and then, the ESM pulls them from the ERC. After that the ACE is using these events from the ESM to make correlations.

             

            Right now a workaround is to increase the severity of the events that match the enrichment and that way I can make the risk correlation work but I'm still working on the main idea.

            • 3. Re: Risk Correlation for Domain Admins
              abanaru

              Anyone ?

              • 4. Re: Risk Correlation for Domain Admins
                acommons

                What are your severity weight settings (click the little scales icon at the top right of the policy editor dialogue).?

                 

                This can change the severity of events behind the scenes.

                • 5. Re: Risk Correlation for Domain Admins
                  abanaru

                  The weights influence only the final severity of the event, not the risk scoring afaik.

                  Right now they are 100% to rules, 0% for assets, vulnerability and tags.

                  • 6. Re: Risk Correlation for Domain Admins
                    acommons

                    But you are using severity in your risk scoring. 100% rules should mean no hidden manipulation. Do you have aggregation turned off for the rule?

                    • 7. Re: Risk Correlation for Domain Admins
                      acommons

                      Check out this blog post.

                       

                      Using GTI for Risk-Based Correlation

                       

                      It's about the only piece I've seen that works through setting up a Risk rule. Note that it only talks about event counts and not Severity or Scores as such.

                      • 8. Re: Risk Correlation for Domain Admins
                        abanaru

                        Aggregation is turned off for all authentication related rules because I did't know how that would influence the risk (I guess it would work the same, basically it would multiply the severity with the number of occurrences to obtain the risk value).

                         

                        What do you mean by 100% rules = no hidden manipulation ?

                         

                        Regarding that blog post, I came upon it a while ago and while it's working for that example it does not include the data enrichment unfortunately :-(

                        • 9. Re: Risk Correlation for Domain Admins
                          acommons

                          Aggregation can hide things from the ACE.

                          100% Rules means you do not have to dig through asset, tags, vulnerability settings to figure out what the severity value is going to be. What you see in the rule is what you get.

                          I'm not sure how enrichment plays with risk - the only link is the word 'score', but see below.

                          Note I don't have an ACE I can play with and it's been a couple of years since I tried this stuff.

                           

                          This may help...from the ESMI 9.1.0 User Guide. There is a bit more in there as well, it's also in the 9.2 User Guide...look for the old ones on the McAfee web site.

                           

                          4.2.2.11Risk Correlation Scoring

                          The Risk Correlation Scoring dialog allows you to add scoring conditional statements based on a

                          risk field that contains a certain value that then makes a defined score for a target risk field. Each

                          row in the grid is a single IF THEN conditional statement. These scoring conditions are global in

                          nature and can be overwritten by a Risk Correlation manager's fields and/or filters. Scoring is

                          updated every 10 minutes.

                          The Risk Correlation Scoring dialog allows you to add, edit, and remove scores as well as write the

                          scores to the device.

                          Add a Risk Correlation Score

                          To add a score to the Risk Correlation Score table, do the following:

                          1. Access the Risk Correlation Scoring dialog (ACE Properties > Risk Correlation Scoring).

                          2. Click on Add. The Add Risk Correlation Score dialog opens.

                          3. The Source Field drop-down list contains all the possible fields against which a value can be

                          compared. Select the desired field.

                          4. In the Value in field, select the type of value that will be compared.

                          5. In the Value field, select the comparing value. The options available in this field will vary

                          based on the type of value you selected in the Value in field. If you want to add values so

                          they can be selected in this field, refer to the following sections:

                          Asset Group

                          Enrichment Source

                          Variable

                          Watchlist

                          If you selected Static Value in the Value in field, type in the comparing value.

                          6. On the Target Field drop-down list, select the field that will receive the score if the

                          comparison is true.

                          7. In the Score fields, enter the minimum and maximum score that the target field will receive.

                          8. Click OK. The conditional statement will be added to the list of Risk Correlation scores.

                          9. Click on Write to write out all Risk Correlation scores to the device. You will be informed

                          when the process is complete.

                          1 2 Previous Next