LCE – Log Correlation Engine – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Wed, 11 Dec 2024 10:47:32 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp LCE – Log Correlation Engine – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Default Correlation Rules Explained https://www.sgbox.eu/en/knowledge-base/default-correlation-rules-explained/ Wed, 11 Jan 2023 12:11:11 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=8126

[SGA][4722] Account Enabled > [SGA][4625] Logon Failed = TargetUserName (300sec)

[SGA][4722] Account Enabled > [SGA][4624] Logon OK = TargetUserName (300sec)

Account created and deleted in a short time [SGA][4720] Account Created > [SGA][4726] Account Deleted = TargetUserName (300sec)

[SGA][4740] Account Locked Out (2sec)

[SGA][4624] Logon OK $IpAddress (2sec) 

[SGA][4624] Logon OK $TargetUserName (2sec)

[SGA][4624] Logon OK $TargetUserName > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress (180sec)

[SGA][4624] Logon OK  $TargetUserName LogonType = 2,3,7,10,11 (2sec)

[SGA][4723] Password Changed $TargetUserName (2sec)

 [SGA][4723] Password Changed $TargetUserName (2sec) 

[SGA][4724] Password Reset $TargetUserName (2sec)

[SGA][4724] Password Reset $TargetUserName (2sec)

[SGA][4624] Logon OK $TargetUserName,IpAddress (2sec)

[SGA][4624] Logon OK $TargetUserName,IpAddress (2sec) (300sec) 10093 – Win Audit – Event Log Backup [SGA][1105] Event Log Backup (2sec) 

[SGA][1108] Event Log Service Error (2sec) 

[SGA][1100] Event Logging Service Shutdown (1sec)

[SGA][4625] Logon Failed SubStatus = 0xC0000072 (1sec)

 [SGA][4625] Logon Failed SubStatus = 0xC0000193 (1sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TargetUserName > [SGA][4625] Logon Failed = TargetUserName (10sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = IpAddress > [SGA][4625] Logon Failed = IpAddress (10sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = LogonType,PreviousHost > [SGA][4625] Logon Failed = LogonType,PreviousHost (5sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4624] Logon OK = PreviousHost,TartgetUserName,IpAddress (15sec)

SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4624] Logon OK = TartgetUserName,IpAddress (15sec)

 [SGA][4625] Logon Failed = TartgetUserName > [SGA][4625] Logon Failed = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (15sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (30sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress (30sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName (30sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress (5sec)

[SGA][4769] A Kerberos service ticket was requested TicketOption = 0x40810000 TicketEncryptionType = 0x17 (2sec)

[SGA][4624] Logon OK LogonType = 9 LogonProcessName ~ seclogo AuthenticationPackageName ~ Negotiate (2sec)

[SGA][1102] Audit Log Cleared (1sec)

 [SGA][1104] Security Log Full (1sec)

[SGA][4719] Audit policy changed (1sec)

[SGA][4624] Logon OK $TargetUserName (300sec)

 [SGA][4624] Logon OK $TargetUserName $IpAddress(2sec)

[SGA][4728] Member Added to Global Group > [SGA][4729] Member Removed from Global Group (60sec)

[SGA][4733] Member Removed from Local Group (60sec)

 [SGA][4756] Member Added to Universal Group > [SGA][4757] Member Removed from Universal Group (60sec)

 [SGA][4728] Member Added to Global Group $TargetUserNam

[SGA][4756] Member Added to Universal Group $TargetUserName

[SGA][4728] Member Added to Global Group $TargetUserName (1sec)

[SGA][4732] Member Added to Local Group $TargetUserName (1sec)

[SGA][4756] Member Added to Universal Group (1sec)

[SGA][4624] Logon OK LogonType = 2,3,7,10,11 (2sec)

[SGA][4729] Member Removed from Global Group (1sec))

[SGA][4733] Member Removed from Local Group (1sec)

[SGA][4757] Member Removed from Universal Group (1sec)

]]> Threat Intelligence Queries https://www.sgbox.eu/en/knowledge-base/threat-intelligence-queries/ Tue, 30 Nov 2021 11:25:12 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6877

Configure Threat Intelligence Queries

This article explain how to create a Threat Intelligence Query, that allows you to obtain simply the process of an Events Query to search a value in the list and take an action. In this way, queries can be used like LCE rules or sensors. Can be scheduled to run every minute on a time interval, performing actions when they found results. The available actions are Send Email, Generate Event, Add a parameter to a list.

Requirements:

  • SGBox version 5.3.1

From SGBox menu, go to LCE > Threat Intelligence Queries. Click on New Query
A guided interface is available to build specific queries to search for a parameter in any list. A time interval can be set too. In the following example, we get all MS-Windows admin users logons during non-working hours.
Threat Intelligence Queries

By default, Threat Intelligence Queries are scheduled and send an email and generate a new event every time they found any result.
Actions can be customized for each query, and default values can be edited by clicking the button DEFAULT VALUES on the page listing the Threat Intelligence Queries.

Threat Intelligence Queries

Threat Intelligence Queries

]]> Replace a Sensor with Events Queries https://www.sgbox.eu/en/knowledge-base/replace-a-sensor-with-events-queries/ Wed, 24 Nov 2021 16:10:16 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6834

Events Queries as a Sensor

In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).
In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources.

Requirements:

  • SGBox version 5.3.0
  • Pattern must belong to specific class.

Scenario:

  • You detect a suspicious events has been repeated lot of time and you want send an alert

Replace a Sensor with Events Queries

On From field: select the class and the event.
Replace a Sensor with Events Queries

Replace a Sensor with Events Queries

write in the Select field the following string:
$PARAM:[SourceIP] as SourceIP, count() as count

Replace a Sensor with Events Queries

Replace a Sensor with Events Queries

write in the Finally field the following string:
group by SourceIP having count() >= 5

Replace a Sensor with Events Queries

A the end you can Test your query.
Replace a Sensor with Events Queries

After configured your query you can choose the TimeInterval  and the Actions

  • TimeInterval: the period of time (in minutes) where the events occur. If we choose 1 the in the previous example it means: 5 unix logon fail in 1 minutes
  • Action: What the system do if this query is verified: send an email, generate an event, add a parameter to a list

Replace a Sensor with Events Queries

Send an email
Replace a Sensor with Events Queries

Generate an event
Remember that you need to map the SQL variables with a specific SGBox parameter. Replace a Sensor with Events Queries

Add parameter to a list
Remember that you need to specify a list and the parameter you want to add to the list.
Replace a Sensor with Events Queries

]]> Create a sensor https://www.sgbox.eu/en/knowledge-base/create-a-sensor/ Thu, 08 Apr 2021 16:44:54 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6262

The Sensors

A sensor can be used alternatively to correlation rule (see this section) when the number of occurrences is high.
Sensors detect when a large number of events repeating in a time interval and alert the admin when a specific threshold exceeded. Sensor in the other hand is less flexible than a correlation rule.

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Sensors
Create a sensor

Clink on New Sensor
Create a sensor

On the left section,tab Events, find the interested events and drag it in correct section on the right.
The next step is configure the Action. Search it on Actions tab and drag it on the correct section. We choose Send Email.
It’s important also define a Timeout. Timeout is the maximum time ( in seconds ) between of the first and the last occurrence of the event. In the sensor you need also to specify the number of Occurrences.

Create a sensor

You can assign the DISTINCT flag to a parameter in order to search the number of occurrences for that value.
In our case, the sensor send an alert when: 10 logon fail occur from the same TargetUserName within 300 seconds.

Create a sensor

For the event it is possible specify this operators.

  • CNT: Total number for the specified parameter.
  • DISTINCT: Total number for each specified parameter.

Click on Save to finish the wizard.
Give a name, description, and click on Active flag to enable it.

]]> Multiple events correlation rule https://www.sgbox.eu/en/knowledge-base/multiple-events-correlation-rule/ Thu, 08 Apr 2021 10:26:39 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6250

The multi-events correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a multi-events rule following requirements are needed:

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules
Multiple events correlation rule

Clink on New Rule

Multiple events correlation rule

On the left section,tab Events, find the interested events and drag it in correct section on the right.

Multiple events correlation rule

Timeout is the maximum time between the fist and last event.
In this case rule has been verified if: at least three login fail happen within 300 seconds.

You can make the rule more specif by connect some parameters between the events:
Selecting the down arrow the events menu is shown, you can select the Previous Host option in order to tell SGBox that second event must be occur on the same host as previous.
Select in the Relative column to connect the parameter between events.
In this case the second event’s TargetUserName must be the same as first event’s TargetUserName.
Multiple events correlation rule

We tell SGBox also that:

  • the third event must be occur on the same host as second
  • third event’s TargetUserName must be the same as second event’s TargetUserName

Multiple events correlation rule

Click on Save to save the rule.
Give a name, description, and click on Active flag to enable it.

]]> Telegram BOT https://www.sgbox.eu/en/knowledge-base/telegram-bot/ Wed, 15 Jan 2020 14:38:11 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=2967 Configure SGBox to use Telgram API in LCE Module and send alert messages

This articles explain how to configure SGBox to interact with Telegram API in order to send alert messages when a specific event occur.

Requirements:

  • SGBox version 4.2.4 with the LM and LCE modules.
  • A Telegram BOT.

There are many tutorial about how to configure a Telegram BOT. We choose @BotFather for our example.
First you need to create your bot and obtain your TOKEN:

Telegram BOT

Telegram BOT

A token is something like: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1.
You need also a the chat_id, so: start and say “Hello” to your bot, than retrieve the chat id:
Telegram BOT

From your browser go to:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/getupdates

Find the ID in the response:
Telegram BOT
id: 124229696

Once created tbe bot, you can go on SGBOX > LCE > Rules > New Rule.
We choose the event [SGBox] Logon OK for our test, but you can choose every event you want. The related action is Call API.
Specify the Telegram API with your TOKEN:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/sendMessage -d chat_id=124229696 -d text="New SGBox Logon"
Telegram BOT

Click Save and give a name to your rule.

If you wan you can also specify a parameter in your message:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/sendMessage -d chat_id=124229696 -d text="SGBox Logon from "
Telegram BOT

When a logon occur, a message will sent from your bot:
Telegram BOT

]]> Create a correlation rule https://www.sgbox.eu/en/knowledge-base/create-a-correlation-rule/ Fri, 28 Jun 2019 15:37:51 +0000 https://10.253.1.90/sgbox/EN/?post_type=epkb_post_type_1&p=1684

The correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a new simple rule you have to:

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules
Create a correlation rule

Clink on New RuleCreate a correlation rule

On the left section,tab Ranges, find the interested time range and drag it in correct section on the right.Create a correlation rule

The same for Events tab.Create a correlation rule

The next step is configure the Action. Search it on Actions tab and drag it on the correct section. We choose Send Email.
It’s important also define a Timeout. Timeout is the maximum time ( in seconds ) between of the first and the last occurrence of the event. If there are only one event we can set timeout to “1”.Create a correlation rule

Click on Save to finish the wizard.
Give a name, description, and click on Active flag to enable it.

]]>