Sensors – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Thu, 05 Sep 2024 10:31:57 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp Sensors – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Replace a Sensor with Events Queries https://www.sgbox.eu/en/knowledge-base/replace-a-sensor-with-events-queries/ Wed, 24 Nov 2021 16:10:16 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6834

Events Queries as a Sensor

In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).
In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources.

Requirements:

  • SGBox version 5.3.0
  • Pattern must belong to specific class.

Scenario:

  • You detect a suspicious events has been repeated lot of time and you want send an alert

Replace a Sensor with Events Queries

On From field: select the class and the event.
Replace a Sensor with Events Queries

Replace a Sensor with Events Queries

write in the Select field the following string:
$PARAM:[SourceIP] as SourceIP, count() as count

Replace a Sensor with Events Queries

Replace a Sensor with Events Queries

write in the Finally field the following string:
group by SourceIP having count() >= 5

Replace a Sensor with Events Queries

A the end you can Test your query.
Replace a Sensor with Events Queries

After configured your query you can choose the TimeInterval  and the Actions

  • TimeInterval: the period of time (in minutes) where the events occur. If we choose 1 the in the previous example it means: 5 unix logon fail in 1 minutes
  • Action: What the system do if this query is verified: send an email, generate an event, add a parameter to a list

Replace a Sensor with Events Queries

Send an email
Replace a Sensor with Events Queries

Generate an event
Remember that you need to map the SQL variables with a specific SGBox parameter. Replace a Sensor with Events Queries

Add parameter to a list
Remember that you need to specify a list and the parameter you want to add to the list.
Replace a Sensor with Events Queries

]]> Create a sensor https://www.sgbox.eu/en/knowledge-base/create-a-sensor/ Thu, 08 Apr 2021 16:44:54 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6262

The Sensors

A sensor can be used alternatively to correlation rule (see this section) when the number of occurrences is high.
Sensors detect when a large number of events repeating in a time interval and alert the admin when a specific threshold exceeded. Sensor in the other hand is less flexible than a correlation rule.

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Sensors
Create a sensor

Clink on New Sensor
Create a sensor

On the left section,tab Events, find the interested events and drag it in correct section on the right.
The next step is configure the Action. Search it on Actions tab and drag it on the correct section. We choose Send Email.
It’s important also define a Timeout. Timeout is the maximum time ( in seconds ) between of the first and the last occurrence of the event. In the sensor you need also to specify the number of Occurrences.

Create a sensor

You can assign the DISTINCT flag to a parameter in order to search the number of occurrences for that value.
In our case, the sensor send an alert when: 10 logon fail occur from the same TargetUserName within 300 seconds.

Create a sensor

For the event it is possible specify this operators.

  • CNT: Total number for the specified parameter.
  • DISTINCT: Total number for each specified parameter.

Click on Save to finish the wizard.
Give a name, description, and click on Active flag to enable it.

]]>