basic event correlation rules
TRANSCRIPT
-
7/29/2019 Basic Event Correlation Rules
1/13
1 Copyright 2012 EMC Corporation. All rights reserved.
Discover. Investigate. Remediate.
Basic Event Correlation Rules
-
7/29/2019 Basic Event Correlation Rules
2/13
2 Copyright 2012 EMC Corporation. All rights reserved.
What is Event Correlation?Event correlation is the analysis a mass of events, pinpointing of the
most significant ones, and triggering actions.
It is generally composed of 4 steps:
A. Event FilteringDiscarding events that are irrelevant to the event
correlator.
B. Event AggregationMerging of duplicates of the same event.
C. Event Masking
Ignoring events that pertain to systems downstream of afailed system.
D. Root Cause AnalysisAnalysis of dependencies between events.
-
7/29/2019 Basic Event Correlation Rules
3/13
3 Copyright 2012 EMC Corporation. All rights reserved.
Nextgen/NWFL Process Flow
Log/PacketCapture
NetworkRules
Parse
MetaExtraction
Feeds
App rules
BasicEvent
CorrelationRules
Write Meta
-
7/29/2019 Basic Event Correlation Rules
4/13
4 Copyright 2012 EMC Corporation. All rights reserved.
Basic Event Correlation Rules
name=name-stringrule=app-rulekey=primary-key[,primary-key]thresh=op-string(assoc-key)>value[mb|kb|gb]timewin=value[min|hr|sec]
name-string (Rule Name)will be added as meta when an event occurs
app-rule (Rule)is a valid application rule
primary-key (Instance Key)is a valid language key (e.g. ip.src, ip.dst, etc) with a type ofIPv4, IPv6, orUInt16. If a second primary key is specified, it must be of the same type as the first.
op-string ( Threshold)is one of:
u_count - count unique values of the specified key
sum - sum the values of the specified key
count - number of sessions (no key-string needs to be specified)
assoc-keyis a valid language key with a type of IPv4, IPv6, UInt16, UInt32, or UInt64. If a compound key
(two primary-keys) is specified, then the assoc-key cannot be IPv4 or IPv6.value for thresh is not scaled if units are not specified
value for timewin defaults to seconds if units are not specified
-
7/29/2019 Basic Event Correlation Rules
5/13
5 Copyright 2012 EMC Corporation. All rights reserved.
BEC Rule Implementation
BEC Rules can be applied to decoders, logdecoders and concentrators.
In NwAdministrator, you can manage BEC
rules in the Adaptors and Rules section.
In SA, you can manage them inAdministration, Devices, View, Config.
-
7/29/2019 Basic Event Correlation Rules
6/13
6 Copyright 2012 EMC Corporation. All rights reserved.
Sample BEC Rule
name="IPv4 Vertical TCP Port Scan 10" rule="tcp.dstport exists"order=13 thresh=u_count(tcp.dstport)>10 key=ip.src,ip.dst
timewin="1 min" type=correlation
-
7/29/2019 Basic Event Correlation Rules
7/13
7 Copyright 2012 EMC Corporation. All rights reserved.
BEC Event Filtering
rule=app-ruleThe rule is the filter to pinpoint those sessions that are of
interest.
It follows the same syntax and works like an App Rule.
rule="tcp.dstport exists
will send all sessions that have the tcp.dstport meta fieldpopulated on for correlation.
-
7/29/2019 Basic Event Correlation Rules
8/138 Copyright 2012 EMC Corporation. All rights reserved.
BEC - Aggregation
key=primary-key[,primary-key]
key=ip.src,ip.dst
Aggregate (group) filtered sessions by the primary key. In thiscase, we are grouping the sessions by pairs of source anddestination IP.
-
7/29/2019 Basic Event Correlation Rules
9/139 Copyright 2012 EMC Corporation. All rights reserved.
BEC - Analysis
thresh=op-string(assoc-key)>value[mb|kb|gb]timewin=value[min|hr|sec]
thresh=u_count(tcp.dstport)>10
Perform an analysis of the grouped, filtered sessions against theassociate-key until the threshold is reached.
Then trigger the creation of a meta session in this case andAlert.
-
7/29/2019 Basic Event Correlation Rules
10/1310 Copyright 2012 EMC Corporation. All rights reserved.
Thresholds
For the threshold, you do not need to havean associate key, you can just count sessionsthat match the filter (e.g. thresh=count()>10).
The threshold can be: sum, count andu_count (unique count).
-
7/29/2019 Basic Event Correlation Rules
11/1311 Copyright 2012 EMC Corporation. All rights reserved.
Key Constraints
The primary key can only be: IPv4, IPv6 orUInt16 data types.
You can only have 2 primary keys.
The associate key can only be: IPv4, IPv6,UInt16, UInt32, and UInt64 data types.
The associate key cannot be IPv4 or IPv6 if
you have a compound (two) primary keys.
-
7/29/2019 Basic Event Correlation Rules
12/1312 Copyright 2012 EMC Corporation. All rights reserved.
Best Practices
Consider using meta generated by feeds andapp rules rather than checking all sessions.
Be Careful: Correlation Rules can have an
impact on capture rates and performance.Always test their impact prior to pushing toproduction.
-
7/29/2019 Basic Event Correlation Rules
13/1313 C i ht 2012 EMC C ti All i ht d
Questions?
Comments?
Thank You.