You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem?
I can't come up with a nice and easy way to build aggregated alerts within the securty-analytics plugin. I am talking about alerts like Multiple failed logins for user XY or alike.
I know there are Correlation Rules but they do not refer to detection rules as base, but rather use own queries to correlate findings between sources.
Why is that? I would like to say: "If detection rule X has followed on detection rule Y in a timespan of 10min and field username is same, create a more severe alert".
Sigma has the possibility of writing Correlations, directly in yaml, which would be super nice to have in the security-analytics plugin. They call this "Meta Rules". This would be super handy for the security-analytics plugin.
What solution would you like?
I would like to be able to use Correlations as defined by Sigma within the syntax/ yaml structure of a detection rule. This would allow me to have rules and aggregations in the same place (see additional context for more information).
What alternatives have you considered?
An obvious alternative would be to use the good old Alerting plugin directly, to achieve these kind of aggregated/correlated alerts. But this would require to use another syntax (json) in another place (alerting) to achieve a functionality that i would expect in the SIEM itself, referring to the security analytics plugin.
Do you have any additional context?
A detection rule with correlation according to Sigma could look like the following, where a failed logon from Google Workspace is taken as example. Both yaml declarations for the detection rule and the correlation rule are located in the same file, separated by --- :
id: 25b9c01c-350d-4b95-bed1-836d04a4f324logsource:
product: gworkspacetitle: Google Workspace Login faileddescription: >- A user attempted to log in to a Google workspace account without success. Check the event parameters login_failure_type and login_challenge_method for more information.tags: []falsepositives:
- A user has entered a wrong password.level: highstatus: testreferences:
- >- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#login_failureauthor: pr3l14t0rdetection:
condition: Selection_1Selection_1:
event.name|contains:
- login_failure
---
title: Multiple failed logons for a single user (possible brute force attack)status: testcorrelation:
type: event_countrules:
- 25b9c01c-350d-4b95-bed1-836d04a4f324group-by:
- event.nametimespan: 15mcondition:
gte: 3tags:
- brute_force
- attack.t1110
Outro
Maybe there's already a solution for my question, yet i did not find something in the documentation of security-analytics. If there's something and i am just too stupid to see or find it, please guard me into the right direction! :)
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem?
I can't come up with a nice and easy way to build aggregated alerts within the securty-analytics plugin. I am talking about alerts like
Multiple failed logins for user XY
or alike.I know there are
Correlation Rules
but they do not refer to detection rules as base, but rather use own queries to correlate findings between sources.Why is that? I would like to say: "If detection rule X has followed on detection rule Y in a timespan of 10min and field
username
is same, create a more severe alert".Sigma has the possibility of writing Correlations, directly in yaml, which would be super nice to have in the security-analytics plugin. They call this "Meta Rules". This would be super handy for the security-analytics plugin.
What solution would you like?
I would like to be able to use Correlations as defined by Sigma within the syntax/ yaml structure of a detection rule. This would allow me to have rules and aggregations in the same place (see additional context for more information).
What alternatives have you considered?
An obvious alternative would be to use the good old
Alerting
plugin directly, to achieve these kind of aggregated/correlated alerts. But this would require to use another syntax (json) in another place (alerting) to achieve a functionality that i would expect in the SIEM itself, referring to the security analytics plugin.Do you have any additional context?
A detection rule with correlation according to Sigma could look like the following, where a failed logon from Google Workspace is taken as example. Both yaml declarations for the detection rule and the correlation rule are located in the same file, separated by
---
:Outro
Maybe there's already a solution for my question, yet i did not find something in the documentation of security-analytics. If there's something and i am just too stupid to see or find it, please guard me into the right direction! :)
The text was updated successfully, but these errors were encountered: