rule – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Thu, 05 Sep 2024 10:32:44 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp rule – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Default Correlation Rules Explained https://www.sgbox.eu/en/knowledge-base/default-correlation-rules-explained/ Wed, 11 Jan 2023 12:11:11 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=8126

[SGA][4722] Account Enabled > [SGA][4625] Logon Failed = TargetUserName (300sec)

[SGA][4722] Account Enabled > [SGA][4624] Logon OK = TargetUserName (300sec)

Account created and deleted in a short time [SGA][4720] Account Created > [SGA][4726] Account Deleted = TargetUserName (300sec)

[SGA][4740] Account Locked Out (2sec)

[SGA][4624] Logon OK $IpAddress (2sec) 

[SGA][4624] Logon OK $TargetUserName (2sec)

[SGA][4624] Logon OK $TargetUserName > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress (180sec)

[SGA][4624] Logon OK  $TargetUserName LogonType = 2,3,7,10,11 (2sec)

[SGA][4723] Password Changed $TargetUserName (2sec)

 [SGA][4723] Password Changed $TargetUserName (2sec) 

[SGA][4724] Password Reset $TargetUserName (2sec)

[SGA][4724] Password Reset $TargetUserName (2sec)

[SGA][4624] Logon OK $TargetUserName,IpAddress (2sec)

[SGA][4624] Logon OK $TargetUserName,IpAddress (2sec) (300sec) 10093 – Win Audit – Event Log Backup [SGA][1105] Event Log Backup (2sec) 

[SGA][1108] Event Log Service Error (2sec) 

[SGA][1100] Event Logging Service Shutdown (1sec)

[SGA][4625] Logon Failed SubStatus = 0xC0000072 (1sec)

 [SGA][4625] Logon Failed SubStatus = 0xC0000193 (1sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TargetUserName > [SGA][4625] Logon Failed = TargetUserName (10sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = IpAddress > [SGA][4625] Logon Failed = IpAddress (10sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = LogonType,PreviousHost > [SGA][4625] Logon Failed = LogonType,PreviousHost (5sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4624] Logon OK = PreviousHost,TartgetUserName,IpAddress (15sec)

SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4624] Logon OK = TartgetUserName,IpAddress (15sec)

 [SGA][4625] Logon Failed = TartgetUserName > [SGA][4625] Logon Failed = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (15sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (30sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress (30sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName (30sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress (5sec)

[SGA][4769] A Kerberos service ticket was requested TicketOption = 0x40810000 TicketEncryptionType = 0x17 (2sec)

[SGA][4624] Logon OK LogonType = 9 LogonProcessName ~ seclogo AuthenticationPackageName ~ Negotiate (2sec)

[SGA][1102] Audit Log Cleared (1sec)

 [SGA][1104] Security Log Full (1sec)

[SGA][4719] Audit policy changed (1sec)

[SGA][4624] Logon OK $TargetUserName (300sec)

 [SGA][4624] Logon OK $TargetUserName $IpAddress(2sec)

[SGA][4728] Member Added to Global Group > [SGA][4729] Member Removed from Global Group (60sec)

[SGA][4733] Member Removed from Local Group (60sec)

 [SGA][4756] Member Added to Universal Group > [SGA][4757] Member Removed from Universal Group (60sec)

 [SGA][4728] Member Added to Global Group $TargetUserNam

[SGA][4756] Member Added to Universal Group $TargetUserName

[SGA][4728] Member Added to Global Group $TargetUserName (1sec)

[SGA][4732] Member Added to Local Group $TargetUserName (1sec)

[SGA][4756] Member Added to Universal Group (1sec)

[SGA][4624] Logon OK LogonType = 2,3,7,10,11 (2sec)

[SGA][4729] Member Removed from Global Group (1sec))

[SGA][4733] Member Removed from Local Group (1sec)

[SGA][4757] Member Removed from Universal Group (1sec)

]]> Multiple events correlation rule https://www.sgbox.eu/en/knowledge-base/multiple-events-correlation-rule/ Thu, 08 Apr 2021 10:26:39 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6250

The multi-events correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a multi-events rule following requirements are needed:

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules
Multiple events correlation rule

Clink on New Rule

Multiple events correlation rule

On the left section,tab Events, find the interested events and drag it in correct section on the right.

Multiple events correlation rule

Timeout is the maximum time between the fist and last event.
In this case rule has been verified if: at least three login fail happen within 300 seconds.

You can make the rule more specif by connect some parameters between the events:
Selecting the down arrow the events menu is shown, you can select the Previous Host option in order to tell SGBox that second event must be occur on the same host as previous.
Select in the Relative column to connect the parameter between events.
In this case the second event’s TargetUserName must be the same as first event’s TargetUserName.
Multiple events correlation rule

We tell SGBox also that:

  • the third event must be occur on the same host as second
  • third event’s TargetUserName must be the same as second event’s TargetUserName

Multiple events correlation rule

Click on Save to save the rule.
Give a name, description, and click on Active flag to enable it.

]]>