SIEM depths: out-of-box correlations. Part 3.2. Event Normalization Methodology

 
3r3-31. How to normalize the event correctly? How to normalize similar events from different sources, without forgetting anything and not mistaking it? But what if it will be done by two experts independently of each other? In this article we will share the general methodology of normalization, which can help in solving this problem. 3r33748.  
3r33748.  
SIEM depths: out-of-box correlations. Part 3.2. Event Normalization Methodology 3r3759. 3r33748.  
3r33750. Image: Martinoflynn.com 3r3751. 3r33748.  
semantics IT or IB events.
 
3r3667. 3r33748.  
Event normalization methodology 3r3-3888. 3r33748.  
The whole event normalization methodology consists of three steps: 3r3373748.  
3r33748.  
3r33490.  
3r33737. Expert evaluation of the event.
 
3r33737. Determination of the interaction scheme.
 
3r33737. Definition of event category.
 
3r3667. 3r33748.  
To make it easier to understand how the tool works, we select an event and consider in detail all the steps of normalization according to our methodology. 3r33748.  
3r33748.  
Suppose we have a source — an Oracle Database DBMS with the following network addressing: 3r-3748.  
3r33748.  
3r3699.  
3r33737. IP 3r3727. : ???.1;
 
3r33737. Hostname 3r3727. : myoracle;
 
3r33737. [b] FQDN
: myoracle.local.
 
3r33737. 3r33748.  
Example 3r33737. with an event from the Oracle Database DBMS. At this stage, the expert should think like this: 3r3373748.  
3r33748.  
“3r33750. I, as an expert, believe that the original event describes the process of a role being recalled by one user from another in the Oracle Database 3r3751 DBMS. ". 3r33748.  
3r33748.  
3r33385. Step 2. Defining the interaction scheme 3r3r. 3r33748.  
The previous step allows you to make sure that we can understand at least the general meaning of the event. Now we will analyze in detail how to select entities and determine the pattern of their interaction. 3r33748.  
3r33748.  
According to this methodology for each
interaction schemes
It is necessary to describe the rules for allocating key identifiers of entities to the fields of a normalized event. In this case, the rules are defined for:
 
3r33748.  
3r33490.  
3r33737. Network level entities;
 
3r33737. Entity level entities.
 
3r3667. 3r33748.  
It is important to remember that there are schemes in which the Subject is equal to the Object and equal to the Source. For such schemes, it is necessary to explicitly define the rules for filling in the fields of all three entities. If this is not done, then problems will begin at the level of correlation rules or the search for events and additional logic will appear for the correct interpretation of empty fields. About this - in an article dedicated to 3r3189. interaction schemes
. 3r33748.  
3r33748.  
Let's look at the work of this step of the methodology on the original Example :
 
3r33748.  
3r3699.  
3r33737. The interaction scheme at the network level : complete direct collection scheme, without a transmitter.
 
3r33737. Interaction scheme at the application level 3r3r727. : interaction through a resource.
 
3r33737. 3r33748.  
The following normalization rules can be defined for these schemes: 3r33748.  
3r33748.  
3r33490.  
3r33737. Entities network level:
 
3r3699.  
3r33737. [b] Subject 3r3727. :
 
3r3699.  
3r33737. Field: src.ip = 3r3302.
 
3r33737. Field: src.hostname = alex_host
 
3r33737. Field: src.fqdn = <пусто>
 
3r33737.
 
3r33737. [b] Object
:
 
3r3699.  
3r33737. Field: dst.ip = ???.1
 
3r33737. Field: dst.hostname = myoracle
 
3r33737. Field: dst.fqdn = myoracle.local
 
3r33737.
 
3r33737. Source (same as Object) :
 
3r3699.  
3r33737. Field: event_source.ip = ???.1
 
3r33737. Field: event_source.hostname = myoracle
 
3r33737. Field: event_source.fqdn = myoracle.local
 
3r33737.
 
3r33737. Transmitter 3r3727. :
 
3r3699.  
3r33737. Field: forwarder.ip = <пусто>
 
3r33737. Field: forwarder.hostname = <пусто>
 
3r33737. Field: forwarder.fqdn = <пусто>
 
3r33737.
 
3r33737. [b] Interaction channel
:
 
3r3699.  
3r33737. Field: interaction.id = 2342594
 
3r33737. 3r33748.  
 
3r33737.
 
3r33737. Application level entities (collection of elements):
 
3r3699.  
3r33737. Subject 3r3727. :
 
3r3699.  
3r33737. Field: subject[1].name = “Alex”
 
3r33737. Field: subject[1].type = “account”
 
3r33737.
 
3r33737. [b] Object
:
 
3r3699.  
3r33737. Field: object[1].name = “Bob”
 
3r33737. Field: object[1].type = “account”
 
3r33737.
 
3r33737. Resource :
 
3r3699.  
3r33737. Field: resource[1].name = “MYROLE”
 
3r33737. Field: resource[1].type = “role”
 
3r33737.
 
3r33737.
 
3r3667. 3r33748.  
3r33385. Step 3. Defining the category of the event
3r33748.  
After all the key entities of the event have been identified, it is necessary to describe the essence of the process itself, as reflected in the event, and transfer it to the normalization language. For these purposes, serves a system of categorization of events. The event categorization system was discussed in detail in a separate 3r-33744. Article 3r3745. Now let's see how it works in practice. 3r33748.  
3r33748.  
In order to unify normalization, the categorization system defines the following rules: 3r-3748.  
3r33748.  
3r33490.  
3r33737. For each category of each level of IT and IB events, an expert compiles a directory with a list of the information that needs to be found in the original event and normalized.
 
3r33737. If an event has been assigned any category, the expert, in accordance with the directory, is obliged to find the required information and normalize it.
 
3r33737. Each category defines a set of fields of the normalized event scheme that must be filled.
 
3r3667. 3r33748.  
Thus, the category selected for the event establishes a direct correspondence between:
 
3r33748.  
3r3699.  
3r33737. event semantics;
 
3r33737. important information to be extracted from the event, according to the assigned category;
 
3r33737. a set of fields of the scheme of the normalized event, in which this information must be "put".
 
3r33737. 3r33748.  
This approach allows a category of any event to clearly understand what data in which fields of a normalized event are located. 3r33748.  
3r33748.  
If, with the support of new sources, it turns out that it is necessary to additionally extract some more important information from the events of a certain category, then it is recorded in the directory. In this case, you need:
 
3r33748.  
3r3699.  
3r33737. define the rules for filling in the event schema fields;
 
3r33737. conduct an audit of normalization for events in this category of all previously supported sources;
 
3r33737. add new information to previously normalized events.
 
3r33737. 3r33748.  
Thus, the consistency of the changes is maintained. Consider the original example. 3r33748.  
3r33748.  
According to the categorization system, this event has the following categories: 3r33748.  
3r33748.  
3r3699.  
3r33737. The categorization system 3r3727. : IT events
 
3r33737. [b] Category of the first level (Level 1)
: User and Rights
 
3r33737. Second level category (Level 2) : User
 
3r33737. Third level category (Level 3) : Manipulation
 
3r33737. 3r33748.  
The directory for this category is as follows:
 
3r33748.  
3r33490.  
3r33737. When normalizing the events of the category “ User and Rights It is important to understand:
 
3r3699.  
3r33737. If privilege escalation was used, then on whose behalf the process is implemented. 3r33748.  
3r3699.  
3r33737. Field: subject.assign
 
3r33737.
 
3r33737. Have the actions been successful. 3r33748.  
3r3699.  
3r33737. Field: result.status
 
3r33737.
 
3r33737. What is the return code. 3r33748.  
3r3699.  
3r33737. Field: result.status.code
 
3r33737.
 
3r33737. 3r33748.  
 
3r33737. When normalizing the events of the category “ [b] User
It is important to understand:
 
3r3699.  
3r33737. Is there any information about the ip-address, host name or fqdn of the user's machine? 3r33748.  
3r3699.  
3r33737. Fields: src.ip, src.hostname, src.fqdn
 
3r33737. Fields: dst.ip, dst.hostname, dst.fqdn
 
3r33737.
 
3r33737. What user account did you use? 3r33748.  
3r3699.  
3r33737. Fields: subject[i].name, object[i].name
 
3r33737.
 
3r33737. Is there any information about his account in the OS. 3r33748.  
3r3699.  
3r33737. Fields: subject[i].osname, object[i].osname
 
3r33737.
 
3r33737. Is there any information about the domain account. 3r33748.  
3r3699.  
3r33737. Fields: subject[i].domain, object[i].domain
 
3r33737.
 
3r33737. Is there any information about the user application. 3r33748.  
3r3699.  
3r33737. Fields: subject[i].application, object[i].application
 
3r33737.
 
3r33737. 3r33748.  
 
3r33737. When normalizing the events of the category “ Manipulation It is important to understand:
 
3r3699.  
3r33737. Type of transaction. 3r33748.  
3r3699.  
3r33737. Field: interaction.type
 
3r33737.
 
3r33737. What have changed. 3r33748.  
3r3699.  
3r33737. Field: object[i].name, object[i].type - when changing in accounts
 
3r33737. Field: resource[i].name, resource[i].type - when changing in the resource
 
3r33737.
 
3r33737. What changed. 3r33748.  
3r3699.  
3r33737. Field: object[i].modify
 
3r33737. Field: resource[i].modify
 
3r33737.
 
3r33737. If the operation was on a resource, who owns it. 3r33748.  
3r3699.  
3r33737. Field: resource[i].owner
 
3r33737.
 
3r33737.
 
3r3667. 3r33748.  
We gave this handbook to demonstrate the principle of its formation; therefore, it does not claim to be accurate and complete. 3r33748.  
3r33748.  
As a result, an event normalized by this methodology looks like this:
 
3r33748.  
3r3678. 3r33748.  
3r33750. An example of a normalized event in the third step of the methodology. 3r3751. 3r33748.  
3r33748.  
Conclusions 3r3688. 3r33748.  
Experience shows that it is often the errors of normalization and the absence of uniform rules of normalization that often lead to false positives of the correlation rules. Now we have an approach that allows, if not getting rid of, then at least to minimize the impact of the problem. 3r33748.  
3r33748.  
So, to summarize - the approach includes three steps:
 
3r33748.  
3r3699.  
3r33737. Step 1 . The expert tries to understand the general essence of the phenomenon described in the original event.
 
3r33737. Step 2 . The expert identifies the main entities of the network and application layer in the event: Subject, Object, Source, Transmitter, Resource, Interaction channel. Selects them in the event and defines the scheme of interaction of these entities. Each scheme forms the rules for allocating these entities in the fields of the normalized event - scheme. Details about this were written in the article devoted to the schemes of interaction of entities.
 
3r33737. Step 3 . The expert determines the category of the first, second and third levels. For each category, it creates a directory that includes a description of the data that is important to find in the event when it is normalized, information about which fields of the normalized event it is necessary to “put” the found data.
 
3r33737. 3r33748.  
Now, from the construction of the correlation rules "working out of the box" we are separated only by the problem of constantly changing the entities themselves - the assets. They change addresses, introduce new assets, decommission old ones, switch cluster nodes, and virtual machines move from one data center to another and, sometimes, even with a change of addressing. How to overcome these problems, we will talk in the next article of the cycle. 3r33748.  
3r33748.  
3r33748.  
[b] Cycle of articles: 3r3727. 3r33748.  
3r33748.  
3r33737. SIEM depths: out-of-box correlations. Part 1: Pure marketing or unsolvable problem? 3r33737. 3r33748.  
3r33748.  
3r3738. SIEM depths: out-of-box correlations. Part 2. The data scheme as a reflection of the model of the "world" 3r3745. 3r33748.  
3r33748.  
3r3744. SIEM depths: out-of-box correlations. Part 3.1. Categorization of events
3r33748.  
3r33748.  
SIEM depths: out-of-box correlations. Part 3.2. Methodology for the normalization of events (3r350750. This article is
)

3r3756. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e. ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r3757.
3r3759.
+ 0 -

Add comment