SIEM Plan¶
System security¶
Windows Events¶
Active Directory¶
Events ID repository¶
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Category | Subcategory | Type | Event Log | Event ID | Describe | Event ID for |
| | | | | | | Windows 2003 |
+================+================+================+================+================+================+================+
| Account Logon | Credential | Success, | Security | 4776 | The domain | 680, 681 |
| | Validation | Failure | | | controller | |
| | | | | | attempted to | |
| | | | | | validate the | |
| | | | | | credentials | |
| | | | | | for an account | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Computer | Success | Security | 4741 | A computer | 645 |
| Management | Account | | | | account was | |
| | Management | | | | created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Computer | Success | Security | 4742 | A computer | 646 |
| Management | Account | | | | account was | |
| | Management | | | | changed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Computer | Success | Security | 4743 | A computer | 647 |
| Management | Account | | | | account was | |
| | Management | | | | deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4744 | A security- | 648 |
| Management | Group | | | | disabled local | |
| | Management | | | | group was | |
| | | | | | created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4746 | A member was | 650 |
| Management | Group | | | | added to a | |
| | Management | | | | security- | |
| | | | | | disabled local | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4747 | A member was | 651 |
| Management | Group | | | | removed from a | |
| | Management | | | | security- | |
| | | | | | disabled local | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4748 | A security- | 652 |
| Management | Group | | | | disabled local | |
| | Management | | | | group was | |
| | | | | | deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4749 | A security- | 653 |
| Management | Group | | | | disabled | |
| | Management | | | | global group | |
| | | | | | was created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4751 | A member was | 655 |
| Management | Group | | | | added to a | |
| | Management | | | | security- | |
| | | | | | disabled | |
| | | | | | global group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4752 | A member was | 656 |
| Management | Group | | | | removed from a | |
| | Management | | | | security- | |
| | | | | | disabled | |
| | | | | | global group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4753 | A security- | 657 |
| Management | Group | | | | disabled | |
| | Management | | | | global group | |
| | | | | | was deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4759 | A security- | 663 |
| Management | Group | | | | disabled | |
| | Management | | | | universal | |
| | | | | | group was | |
| | | | | | created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4761 | A member was | 655 |
| Management | Group | | | | added to a | |
| | Management | | | | security- | |
| | | | | | disabled | |
| | | | | | universal | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Distribution | Success | Security | 4762 | A member was | 666 |
| Management | Group | | | | removed from a | |
| | Management | | | | security- | |
| | | | | | disabled | |
| | | | | | universal | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4727 | A security- | 631 |
| Management | Management | | | | enabled global | |
| | | | | | group was | |
| | | | | | created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4728 | A member was | 632 |
| Management | Management | | | | added to a | |
| | | | | | security- | |
| | | | | | enabled global | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4729 | A member was | 633 |
| Management | Management | | | | removed from a | |
| | | | | | security- | |
| | | | | | enabled global | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4730 | A security- | 634 |
| Management | Management | | | | enabled global | |
| | | | | | group was | |
| | | | | | deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4731 | A security- | 635 |
| Management | Management | | | | enabled local | |
| | | | | | group was | |
| | | | | | created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4732 | A member was | 636 |
| Management | Management | | | | added to a | |
| | | | | | security- | |
| | | | | | enabled local | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4733 | A member was | 637 |
| Management | Management | | | | removed from a | |
| | | | | | security- | |
| | | | | | enabled local | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4734 | A security- | 638 |
| Management | Management | | | | enabled local | |
| | | | | | group was | |
| | | | | | deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4754 | A security- | 658 |
| Management | Management | | | | enabled | |
| | | | | | universal | |
| | | | | | group was | |
| | | | | | created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4755 | A security- | 659 |
| Management | Management | | | | enabled | |
| | | | | | universal | |
| | | | | | group was | |
| | | | | | changed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4756 | A member was | 660 |
| Management | Management | | | | added to a | |
| | | | | | security- | |
| | | | | | enabled | |
| | | | | | universal | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4757 | A member was | 661 |
| Management | Management | | | | removed from a | |
| | | | | | security- | |
| | | | | | enabled | |
| | | | | | universal | |
| | | | | | group | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4758 | A security- | 662 |
| Management | Management | | | | enabled | |
| | | | | | universal | |
| | | | | | group was | |
| | | | | | deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | Security Group | Success | Security | 4764 | A groups type | 668 |
| Management | Management | | | | was changed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4720 | A user account | 624 |
| Management | Management | | | | was created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4722 | A user account | 626 |
| Management | Management | | | | was enabled | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4723 | An attempt was | 627 |
| Management | Management | | | | made to change | |
| | | | | | an account's | |
| | | | | | password | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4724 | An attempt was | 628 |
| Management | Management | | | | made to reset | |
| | | | | | an accounts | |
| | | | | | password | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4725 | A user account | 629 |
| Management | Management | | | | was disabled | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4726 | A user account | 630 |
| Management | Management | | | | was deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4738 | A user account | 642 |
| Management | Management | | | | was changed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4740 | A user account | 644 |
| Management | Management | | | | was locked out | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4765 | SID History | |
| Management | Management | | | | was added to | |
| | | | | | an account | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Failure | Security | 4766 | An attempt to | |
| Management | Management | | | | add SID | |
| | | | | | History to an | |
| | | | | | account failed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account | User Account | Success | Security | 4781 | The name of an | 685 |
| Management | Management | | | | account was | |
| | | | | | changed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory | Directory | Success | Security | 5136 | A directory | 566 |
| Service | Service | | | | service object | |
| | Changes | | | | was modified | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory | Directory | Success | Security | 5137 | A directory | 566 |
| Service | Service | | | | service object | |
| | Changes | | | | was created | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory | Directory | Success | Security | 5138 | A directory | |
| Service | Service | | | | service object | |
| | Changes | | | | was undeleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory | Directory | Success | Security | 5139 | A directory | |
| Service | Service | | | | service object | |
| | Changes | | | | was moved | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory | Directory | Failure | Security | 5141 | A directory | |
| Service | Service | | | | service object | |
| | Changes | | | | was deleted | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Logon/Logoff | Logon | Success | Security | 4624 | An account was | 528 , 540 |
| | | | | | successfully | |
| | | | | | logged on | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Logon/Logoff | Logon | Failure | Security | 4625 | An account | 529 , 530 , |
| | | | | | failed to log | 531 , 532 , |
| | | | | | on | 533 , 534 , |
| | | | | | | 535 , 536 , |
| | | | | | | 537 , 539 |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | Detailed File | Success, | Security | 5145 | A network | |
| | Share | Failure | | | share object | |
| | | | | | was checked to | |
| | | | | | see whether | |
| | | | | | client can be | |
| | | | | | granted | |
| | | | | | desired access | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | File Share | Success | Security | 5140 | A network | |
| | | | | | share object | |
| | | | | | was accessed | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | File Share | Success | Security | 5142 | A network | |
| | | | | | share object | |
| | | | | | was added. | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | File System, | Success | Security | 4663 | An attempt was | 567 |
| | Registry, | | | | made to access | |
| | Kernel Object, | | | | an object | |
| | SAM, Other | | | | | |
| | Object Access | | | | | |
| | Events | | | | | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | File System, | Success | Security | 4670 | Permissions on | |
| | Registry, | | | | an object were | |
| | Policy Change, | | | | changed | |
| | Authorization | | | | | |
| | Policy Change | | | | | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | File System, | Success, | Security | 4656 | A handle to an | 560 |
| | Registry, SAM, | Failure | | | object was | |
| | Handle | | | | requested | |
| | Manipulation, | | | | | |
| | Other Object | | | | | |
| | Access Events | | | | | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access | | Success | Security | 561 | Handle | |
| | | | | | Allocated | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System | Security State | Success | Security | 4608 | Windows is | 512 |
| | Change | | | | starting up | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System | Security State | Success | Security | 4616 | The system | 520 |
| | Change | | | | time was | |
| | | | | | changed. | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System | Security | Success | Security | 4610 | An | 514 |
| | System | | | | authentication | |
| | Extension | | | | package has | |
| | | | | | been loaded by | |
| | | | | | the Local | |
| | | | | | Security | |
| | | | | | Authority | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System | System | Success | Security | 4612 | Internal | 516 |
| | Integrity | | | | resources | |
| | | | | | allocated for | |
| | | | | | the queuing of | |
| | | | | | audit messages | |
| | | | | | have been | |
| | | | | | exhausted, | |
| | | | | | leading to the | |
| | | | | | loss of some | |
| | | | | | audits | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System | System | Success | Security | 4615 | Invalid use of | 519 |
| | Integrity | | | | LPC port | |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
IOC¶
Network Analytics Plan¶
Netflow analyzis¶
The Logstash collector receives and decodes Network Flows using the provided decoders. During decoding, IP address reputation analysis is performed and the result is added to the event document.
Installation¶
Install/update logstash codec plugins for netflox and sflow¶
/usr/share/logstash/bin/logstash-plugin install file:///etc/logstash/netflow/bin/logstash-codec-sflow-2.1.2.gem.zip
/usr/share/logstash/bin/logstash-plugin install file:///etc/logstash/netflow/bin/logstash-codec-netflow-4.2.1.gem.zip
/usr/share/logstash/bin/logstash-plugin install file:///etc/logstash/netflow/bin/logstash-input-udp-3.3.4.gem.zip
/usr/share/logstash/bin/logstash-plugin update logstash-input-tcp
/usr/share/logstash/bin/logstash-plugin update logstash-filter-translate
/usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
/usr/share/logstash/bin/logstash-plugin update logstash-filter-dns
Configuration¶
Enable Logstash pipeline¶
vim /etc/logstash/pipeline.yml
- pipeline.id: flows
path.config: "/etc/logstash/conf.d/netflow/*.conf"
Elasticsearch template installation¶
curl -XPUT -H 'Content-Type: application/json' -u logserver:logserver 'http://127.0.0.1:9200/_template/netflow' -d@/etc/logstash/templates.d/netflow-template.json
Importing Kibana dashboards¶
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@overview.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@security.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@sources.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@history.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@destinations.json
Enable bad reputation lists update¶
crontab -e
0 4 * * * /etc/logstash/lists/bin/badreputation_iplists.sh
Enable reverse dns lookup¶
To enbled revere DNS lookup set the USE_DNS:false to USE_DNS:true in 13-filter-dns-geoip.conf
Optionally set both dns servers ${DNS_SRV:8.8.8.8} to your local dns
Security rules¶
MS Windows SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Windows |
Windows - Admin night logon |
Alert on Windows login events when detected outside business hours |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:(4624 OR 1200) AND user.role:admin AND event.hour:(20 OR 21 OR 22 OR 23 0 OR 1 OR 2 OR 3)" |
2 |
Windows |
Windows - Admin task as user |
Alert when admin task is initiated by regular user. Windows event id 4732 is verified towards static admin list. If the user does not belong to admin list AND the event is seen than we generate alert. Static Admin list is a logstash disctionary file that needs to be created manually. During Logstash lookup a field user.role:admin is added to an event. 4732: A member was added to a security-enabled local group |
winlogbeat-* |
winlogbeat Logstash admin dicstionary lookup file |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4732 AND NOT user.role:admin" |
3 |
Windows |
Windows - diff IPs logon |
Alert when Windows logon process is detected and two or more different IP addressed are seen in source field. Timeframe is last 15min. Detection is based onevents 4624 or 1200. 4624: An account was successfully logged on 1200: Application token success |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
cardinality |
max_cardinality: 1 timeframe: minutes: 15 filter: - query_string: query: "event_id:(4624 OR 1200) AND NOT _exists_:user.role AND NOT event_data.IpAddress:\"-\" " query_key: username |
4 |
Windows |
Windows - Event service error |
Alert when Windows event 1108 is matched 1108: The event logging service encountered an error |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:1108" |
5 |
Windows |
Windows - file insufficient privileges |
Alert when Windows event 5145 is matched 5145: A network share object was checked to see whether client can be granted desired access Every time a network share object (file or folder) is accessed, event 5145 is logged. If the access is denied at the file share level, it is audited as a failure event. Otherwise, it considered a success. This event is not generated for NTFS access. |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
frequency |
query_key: "event_data.IpAddress" num_events: 50 timeframe: minutes: 15 filter: - query_string: query: "event_id:5145" |
6 |
Windows |
Windows - Kerberos pre-authentication failed |
Alert when Windows event 4625 or 4771 is matched 4625: An account failed to log on 4771: Kerberos pre-authentication failed |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4625 OR event_id:4771" |
7 |
Windows |
Windows - Logs deleted |
Alert when Windows event 1102 OR 104 is matched 1102: The audit log was cleared 104: Event log cleared |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: 'event_desc:"1102 The audit log was cleared"' |
8 |
Windows |
Windows - Member added to a security-enabled global group |
Alert when Windows event 4728 is matched 4728: A member was added to a security-enabled global group |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4728" |
9 |
Windows |
Windows - Member added to a security-enabled local group |
Alert when Windows event 4732 is matched 4732: A member was added to a security-enabled local group |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4732" |
10 |
Windows |
Windows - Member added to a security-enabled universal group |
Alert when Windows event 4756 is matched 4756: A member was added to a security-enabled universal group |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4756" |
11 |
Windows |
Windows - New device |
Alert when Windows event 6414 is matched 6416: A new external device was recognized by the system |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:6416" |
12 |
Windows |
Windows - Package installation |
Alert when Windows event 4697 is matched 4697: A service was installed in the system |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4697" |
13 |
Windows |
Windows - Password policy change |
Alert when Windows event 4739 is matched 4739: Domain Policy was changed |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4739" |
14 |
Windows |
Windows - Security log full |
Alert when Windows event 1104 is matched 1104: The security Log is now full |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:1104" |
15 |
Windows |
Windows - Start up |
Alert when Windows event 4608 is matched 4608: Windows is starting up |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4608" |
16 |
Windows |
Windows - Account lock |
Alert when Windows event 4740 is matched 4740: A User account was Locked out |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4740" |
17 |
Windows |
Windows - Security local group was changed |
Alert when Windows event 4735 is matched 4735: A security-enabled local group was changed |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4735" |
18 |
Windows |
Windows - Reset password attempt |
Alert when Windows event 4724 is matched 4724: An attempt was made to reset an accounts password |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4724" |
19 |
Windows |
Windows - Code integrity changed |
Alert when Windows event 5038 is matched 5038: Detected an invalid image hash of a file Information: Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. The event logs the following information: |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:5038" |
20 |
Windows |
Windows - Application error |
Alert when Windows event 1000 is matched 1000: Application error |
winlogbeat-* |
winlogbeat |
Widnows Application Eventlog |
any |
filter: - query_string: query: "event_id:1000" |
21 |
Windows |
Windows - Application hang |
Alert when Windows event 1001 OR 1002 is matched 1001: Application fault bucket 1002: Application hang |
winlogbeat-* |
winlogbeat |
Widnows Application Eventlog |
any |
filter: - query_string: query: "event_id:1002 OR event_id:1001" |
22 |
Windows |
Windows - Audit policy changed |
Alert when Windows event 4719 is matched 4719: System audit policy was changed |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:4719" |
23 |
Windows |
Windows - Eventlog service stopped |
Alert when Windows event 6005 is matched 6005: Eventlog service stopped |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:6005" |
24 |
Windows |
Windows - New service installed |
Alert when Windows event 7045 OR 4697 is matched 7045,4697: A service was installed in the system |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:7045 OR event_id:4697" |
25 |
Windows |
Windows - Driver loaded |
Alert when Windows event 6 is matched 6: Driver loaded The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. |
winlogbeat-* |
winlogbeat |
Widnows System Eventlog |
any |
filter: - query_string: query: "event_id:6" |
26 |
Windows |
Windows - Firewall rule modified |
Alert when Windows event 2005 is matched 2005: A Rule has been modified in the Windows firewall Exception List |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: 'event_desc:"4947 A change has been made to Windows Firewall exception list. A rule was modified"' |
27 |
Windows |
Windows - Firewall rule add |
Alert when Windows event 2004 is matched 2004: A firewall rule has been added |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:2004" |
28 |
Windows |
Windows - Firewall rule deleted |
Alert when Windows event 2006 or 2033 or 2009 is matched 2006,2033,2009: Firewall rule deleted |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: "event_id:2006 OR event_id:2033 OR event_id:2009" |
29 |
Windows |
Windows - System has been shutdown |
This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: 'event_id:"1074"' |
30 |
Windows |
Windows - The system time was changed |
The system time has been changed. The event describes the old and new time. |
winlogbeat-* |
winlogbeat |
Widnows Security Eventlog |
any |
filter: - query_string: query: 'event_id:"4616"' |
Network Switch SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Switch |
Switch - Blocked by LACP |
ports: port <nr> is Blocked by LACP |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:"Blocked by LACP"” |
|
2 |
Switch |
Switch - Blocked by STP |
ports: port <nr> is Blocked by STP |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:"Blocked by STP"” |
|
3 |
Switch |
Switch - Port state changed |
Port state changed to down or up |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:"changed state to"” |
|
4 |
Switch |
Switch - Configured from console |
Configurations changes from console |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:"Configured from console"” |
|
5 |
Switch |
Switch - High collision or drop rate |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:"High collision or drop rate"” |
||
6 |
Switch |
Switch - Invalid login |
auth: Invalid user name/password on SSH session |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:"auth: Invalid user name/password on SSH session"” |
|
7 |
Switch |
Switch - Logged to switch |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:" mgr: SME SSH from"” |
||
8 |
Switch |
Switch - Port is offline |
ports: port <nr> is now off-line |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:" is now off-line"” |
|
9 |
Switch |
Switch - Port is online |
ports: port <nr> is now on-line |
syslog-* |
syslog |
any |
filter: - query_string: query: “message:" is now on-line"” |
Cisco ASA devices SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Cisco ASA |
Cisco ASA - Device interface administratively up |
Device interface administratively up |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: ‘cisco.id:”%ASA-4-411003”’ |
|
2 |
Cisco ASA |
Cisco ASA - Device configuration has been changed or reloaded |
Device configuration has been changed or reloaded |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: ‘cisco.id:(“%ASA-5-111007” OR “%ASA-5-111008”)’ |
|
3 |
Cisco ASA |
Cisco ASA - Device interface administratively down |
Device interface administratively down |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: ‘cisco.id:”%ASA-4-411004”’ |
|
4 |
Cisco ASA |
Cisco ASA - Device line protocol on Interface changed state to down |
Device line protocol on Interface changed state to down |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: ‘cisco.id:”%ASA-4-411002”’ |
|
5 |
Cisco ASA |
Cisco ASA - Device line protocol on Interface changed state to up |
Device line protocol on Interface changed state to up |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: ‘cisco.id:”%ASA-4-411001”’ |
|
6 |
Cisco ASA |
Cisco ASA - Device user executed shutdown |
Device user executed shutdown |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: ‘cisco.id:”%ASA-5-111010”’ |
|
7 |
Cisco ASA |
Cisco ASA - Multiple VPN authentication failed |
Multiple VPN authentication failed |
syslog-* |
syslog from Cisco ASA devices |
frequency |
query_key: “src.ip” num_events: 10 timeframe: minutes: 240 filter: - query_string: query: “cisco.id:"%ASA-6-113005"” |
|
8 |
Cisco ASA |
Cisco ASA - VPN authentication failed |
VPN authentication failed |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: “cisco.id:"%ASA-6-113005"” |
|
9 |
Cisco ASA |
Cisco ASA - VPN authentication successful |
VPN authentication successful |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: “cisco.id:"%ASA-6-113004"” |
|
10 |
Cisco ASA |
Cisco ASA - VPN user locked out |
VPN user locked out |
syslog-* |
syslog from Cisco ASA devices |
any |
filter: - query_string: query: “cisco.id:"%ASA-6-113006"” |
Linux Mail SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Mail Linux |
Mail - Flood Connect from |
Connection flood, possible DDOS attack |
syslog-* |
syslog |
frequency |
filter: - query_string: query: “message:"connect from"” query_key: host timeframe: hours: 1 num_events: 50 |
|
2 |
Mail Linux |
Mail - SASL LOGIN authentication failed |
User authentication failure |
syslog-* |
syslog |
frequency |
filter: - query_string: query: “message:"SASL LOGIN authentication failed: authentication failure"” query_key: host timeframe: hours: 1 num_events: 30 |
|
3 |
Mail Linux |
Mail - Sender rejected |
Sender rejected |
syslog-* |
syslog |
frequency |
filter: - query_string: query: “message:"NOQUEUE: reject: RCPT from"” query_key: host timeframe: hours: 1 num_events: 20 |
Linux DNS Bind SIEM Rules¶
1 | DNS | DNS - Anomaly in geographic region | DNS anomaly detection in geographic region | filebeat-* | filebeat | spike | query_key: geoip.country_code2 threshold_ref: 500 spike_height: 3 spike_type: “up” timeframe: minutes: 10 filter: - query_string: query: “NOT geoip.country_code2:(US OR PL OR NL OR IE OR DE OR FR OR GB OR SK OR AT OR CZ OR NO OR AU OR DK OR FI OR ES OR LT OR BE OR CH) AND _exists_:geoip.country_code2 AND NOT domain:(*.outlook.com OR *.pool.ntp.org)” | |
---|---|---|---|---|---|---|---|---|
2 |
DNS |
DNS - Domain requests |
Domain requests |
filebeat-* |
filebeat |
frequency |
query_key: “domain” num_events: 1000 timeframe: minutes: 5 filter: - query_string: query: “NOT domain:(/.*localdomain/) AND _exists_:domain” |
|
3 |
DNS |
DNS - Domain requests by source IP |
Domain requests by source IP |
filebeat-* |
filebeat |
cadrinality |
query_key: “src_ip” cardinality_field: “domain” max_cardinality: 3000 timeframe: minutes: 10 filter: - query_string: query: “(NOT domain:(/.*.arpa/ OR /.*localdomain/ OR /.*office365.com/) AND _exists_:domain” |
|
4 |
DNS |
DNS - Resolved domain matches IOC IP blacklist |
Resolved domain matches IOC IP blacklist |
filebeat-* |
filebeat |
blacklist-ioc |
compare_key: “domain_ip” blacklist-ioc: - “!yaml /etc/logstash/lists/misp_ip.yml” |
Fortigate Devices SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
FortiOS 6.x |
Fortigate virus |
fortigate* |
FortiOS with Antivirus, IPS, Fortisandbox modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
Any |
filter: - query_string: query: “subtype:virus and action:blocked” |
|
2 |
FortiOS 6.x |
Fortigate http server attack by destination IP |
fortigate* |
FortiOS with waf, IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “dst_ip” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “level:alert and subtype:ips and action:dropped and profile:protect_http_server” |
|
3 |
FortiOS 6.x |
Fortigate forward deny by source IP |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “src_ip” num_events: 250 timeframe: hours: 1 filter: - query_string: query: “subtype:forward AND action:deny” |
|
4 |
FortiOS 6.x |
Fortigate failed login |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
Any |
filter: - query_string: query: “action:login and status:failed” |
|
5 |
FortiOS 6.x |
Fortigate failed login same source |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “action:login and status:failed” |
|
6 |
FortiOS 6.x |
Fortigate device configuration changed |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”"Configuration is changed in the admin session"” |
|
7 |
FortiOS 6.x |
Fortigate unknown tunneling setting |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”"http_decoder: HTTP.Unknown.Tunnelling"” |
|
8 |
FortiOS 6.x |
Fortigate multiple tunneling same source |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “"http_decoder: HTTP.Unknown.Tunnelling"” |
|
9 |
FortiOS 6.x |
Fortigate firewall configuration changed |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”action:Edit” |
|
10 |
FortiOS 6.x |
Fortigate SSL VPN login fail |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”ssl-login-fail” |
|
11 |
FortiOS 6.x |
Fortigate Multiple SSL VPN login failed same source |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “ssl-login-fail” |
|
12 |
FortiOS 6.x |
Fortigate suspicious traffic |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”type:traffic AND status:high” |
|
13 |
FortiOS 6.x |
Fortigate suspicious traffic same source |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “type:traffic AND status:high” |
|
14 |
FortiOS 6.x |
Fortigate URL blocked |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”action:blocked AND status:warning” |
|
15 |
FortiOS 6.x |
Fortigate multiple URL blocked same source |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
frequency |
query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “action:blocked AND status:warning” |
|
16 |
FortiOS 6.x |
Fortigate attack detected |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”attack AND action:detected” |
|
17 |
FortiOS 6.x |
Fortigate attack dropped |
fortigate* |
FortiOS with IPS, modules, Logstash KV filter, default-base-template |
syslog from Forti devices |
any |
filter: - query_string: query:”attack AND action:dropped” |
Linux Apache SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Apache |
HTTP 1xx peak |
Response status 1xx |
httpd* |
Apache logs |
spike |
threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:1*” - type: value: “_doc” |
|
2 |
Apache |
HTTP 2xx responses for unwanted URLs |
Requests for URLS like: - /phpMyAdmin, /wpadmin, /wp-login.php, /.env, /admin, /owa/auth/logon.aspx, /api, /license.txt, /api/v1/pods, /solr/admin/info/system, /backup/, /admin/config.php, /dana-na, /dbadmin/, /myadmin/, /mysql/, /php-my-admin/, /sqlmanager/, /mysqlmanager/, config.php |
httpd* |
Apache logs |
blacklist |
compare_key: http.request ignore_null: true blacklist: - /phpMyAdmin - /wpadmin - /wp-login.php - /.env - /admin - /owa/auth/logon.aspx - /api - /license.txt - /api/v1/pods - /solr/admin/info/system - /backup/ - /admin/config.php - /dana-na - /dbadmin/ - /myadmin/ - /mysql/ - /php-my-admin/ - /sqlmanager/ - /mysqlmanager/ - config.php |
|
3 |
Apache |
HTTP 2xx spike |
httpd* |
Apache logs |
spike |
threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:2*” - type: value: “_doc” |
||
4 |
Apache |
HTTP 3x spike |
Response status 3xx |
httpd* |
Apache logs |
any |
threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:3*” - type: value: “_doc” |
|
5 |
Apache |
HTTP 4xx spike |
Response status 4xx |
httpd* |
Apache logs |
spike |
threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:4*” - type: value: “_doc” |
|
6 |
Apache |
HTTP 5xx spike |
Response status 5xx |
httpd* |
Apache logs |
spike |
threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:5*” - type: value: “_doc” |
RedHat / CentOS system SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Linux |
Linux - Group Change |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"added by root to group"” |
||
2 |
Linux |
Linux - Group Created |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"new group: "” |
||
3 |
Linux |
Linux - Group Removed |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"removed group: " OR message:"removed shadow group: "” |
||
4 |
Linux |
Linux - Interrupted Login |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"Connection closed by"” |
||
5 |
Linux |
Linux -Login Failure |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"Failed password for"” |
||
6 |
Linux |
Linux - Login Success |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"Accepted password for"” |
||
7 |
Linux |
Linux - Out of Memory |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"killed process"” |
||
8 |
Linux |
Linux - Password Change |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"password changed"” |
||
9 |
Linux |
Linux - Process Segfaults |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:segfault” |
||
10 |
Linux |
Linux - Process Traps |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:traps” |
||
11 |
Linux |
Linux - Service Started |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:Started” |
||
12 |
Linux |
Linux - Service Stopped |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:Stopped” |
||
13 |
Linux |
Linux - Software Erased |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"Erased: "” |
||
14 |
Linux |
Linux - Software Installed |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"Installed: "” |
||
15 |
Linux |
Linux - Software Updated |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"Updated: "” |
||
16 |
Linux |
Linux - User Created |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"new user: "” |
||
17 |
Linux |
Linux - User Removed |
syslog-* |
Syslog |
any |
filter: - query_string: query: “message:"delete user"” |
Checkpoint devices SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
VPN-1 & FireWall-1 |
Checkpoint - Drop a packet by source IP |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Frequency |
query_key: “src” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:drop” use_count_query: true doc_type: doc |
|
2 |
VPN-1 & FireWall-1 |
Checkpoint - Reject by source IP |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Frequency |
query_key: “src” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:reject” use_count_query: true doc_type: doc |
|
3 |
VPN-1 & FireWall-1 |
Checkpoint - User login |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
query_key: “user” filter: - query_string: query: “auth_status:"Successful Login"” use_count_query: true doc_type: doc |
|
4 |
VPN-1 & FireWall-1 |
Checkpoint - Failed Login |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
query_key: “user” filter: - query_string: query: “auth_status:"Failed Login"” use_count_query: true doc_type: doc |
|
5 |
VPN-1 & FireWall-1 |
Checkpoint - Application Block by user |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Frequency |
query_key: “user” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:block AND product:"Application Control"” use_count_query: true doc_type: doc |
|
6 |
VPN-1 & FireWall-1 |
Checkpoint - URL Block by user |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Frequency |
query_key: “user” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:block AND product:"URL Filtering"” use_count_query: true doc_type: doc |
|
7 |
VPN-1 & FireWall-1 |
Checkpoint - Block action with user |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
query_key: “user” filter: - query_string: query: “action:block” use_count_query: true doc_type: doc |
|
8 |
VPN-1 & FireWall-1 |
Checkpoint - Encryption keys were created |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
filter: - query_string: query: “action:keyinst” use_count_query: true doc_type: doc |
|
9 |
VPN-1 & FireWall-1 |
Checkpoint - Connection was detected by Interspect |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
filter: - query_string: query: “action:detect” use_count_query: true doc_type: doc |
|
10 |
VPN-1 & FireWall-1 |
Checkpoint - Connection was subject to a configured protections |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
filter: - query_string: query: “action:inspect” use_count_query: true doc_type: doc |
|
11 |
VPN-1 & FireWall-1 |
Checkpoint - Connection with source IP was quarantined |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
query_key: “src” filter: - query_string: query: “action:quarantine” use_count_query: true doc_type: doc |
|
12 |
VPN-1 & FireWall-1 |
Checkpoint - Malicious code in the connection with source IP was replaced |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
query_key: “src” filter: - query_string: query: “action:"Replace Malicious code"” use_count_query: true doc_type: doc |
|
13 |
VPN-1 & FireWall-1 |
Checkpoint - Connection with source IP was routed through the gateway acting as a central hub |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Any |
query_key: “src” filter: - query_string: query: “action:"VPN routing"” use_count_query: true doc_type: doc |
|
14 |
VPN-1 & FireWall-1 |
Checkpoint - Security event with user was monitored |
checkpoint* |
Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber ) |
Checkpoint firewall, OPSEC Log Export APIs (LEA) |
Frequency |
query_key: “user” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:Monitored” use_count_query: true doc_type: doc |
Cisco ESA devices SIEM rule¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Cisco ESA |
ESA - Attachments exceeded the URL scan |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”attachments exceeded the URL scan”’ |
||
2 |
Cisco ESA |
ESA - Extraction Failure |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”Extraction Failure”’ |
||
3 |
Cisco ESA |
ESA - Failed to expand URL |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”Failed to expand URL”’ |
||
4 |
Cisco ESA |
ESA - Invalid host configured |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”Invalid host configured”’ |
||
5 |
Cisco ESA |
ESA - Marked unscannable due to RFC Violation |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”was marked unscannable due to RFC Violation”’ |
||
6 |
Cisco ESA |
ESA - Message was not scanned for Sender Domain Reputation |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”Message was not scanned for Sender Domain Reputation”’ |
||
7 |
Cisco ESA |
ESA - URL Reputation Rule |
syslog-* |
Cisco ESA |
any |
filter: - query_string: query: ‘message:”URL Reputation Rule”’ |
Forcepoint devices SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Forcepoint HIGH |
All high alerts |
syslog-dlp* |
any |
alert_text_type: alert_text_only alert_text: “Forcepoint HIGH alert\n\n When: {}\n Analyzed by: {}\n User name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - user - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Severity:HIGH” |
|||
2 |
Forcepoint MEDIUM |
All medium alerts |
syslog-dlp* |
any |
alert_text_type: alert_text_only alert_text: “Forcepoint MEDIUM alert\n\n When: {}\n Analyzed by: {}\n User name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - user - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Severity:MEDIUM” |
|||
3 |
Forcepoint LOW |
All low alerts |
syslog-dlp* |
any |
alert_text_type: alert_text_only alert_text: “Forcepoint LOW alert\n\n When: {}\n Analyzed by: {}\n User name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - user - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Severity:LOW” |
|||
4 |
Forcepoint blocked email |
Email was blocked by forcepoint |
syslog-dlp* |
any |
alert_text_type: alert_text_only alert_text: “Email blocked\n\n When: {}\n Analyzed by: {}\n File name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - File_Name - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Action:Blocked and Channel:Endpoint Email” |
|||
5 |
Forcepoint removables |
Forcepoint blocked data transfer to removeable device |
syslog-dlp* |
any |
alert_text_type: alert_text_only alert_text: “Data transfer to removable device blocked\n\n When: {}\n Analyzed by: {}\n File name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - File_Name - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Action:Blocked and Channel:Endpoint Removable Media” |
Oracle Database Engine SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Oracle DB |
Oracle - Allocate memory ORA-00090 |
Failed to allocate memory for cluster database |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00090” |
2 |
Oracle DB |
Oracle logon denied ORA-12317 |
logon to database (link name string) |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-12317” |
3 |
Oracle DB |
Oracle credential failed ORA-12638 |
Credential retrieval failed |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12638” |
4 |
Oracle DB |
Oracle client internal error ORA-12643 |
Client received internal error from server |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12643” |
5 |
Oracle DB |
ORA-00018: maximum number of sessions exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00018” |
|
6 |
Oracle DB |
ORA-00019: maximum number of session licenses exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00019” |
|
7 |
Oracle DB |
ORA-00020: maximum number of processes (string) exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00020” |
|
8 |
Oracle DB |
ORA-00024: logins from more than one process not allowed in single-process mode |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00024” |
|
9 |
Oracle DB |
ORA-00025: failed to allocate string ( out of memory ) |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00025” |
|
10 |
Oracle DB |
ORA-00055: maximum number of DML locks exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00055” |
|
11 |
Oracle DB |
ORA-00057: maximum number of temporary table locks exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00057” |
|
12 |
Oracle DB |
ORA-00059: maximum number of DB_FILES exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00059” |
|
13 |
Oracle DB |
Oracle - Deadlocks ORA - 0060 |
Deadlock detected while waiting for resource |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00060” |
14 |
Oracle DB |
ORA-00063: maximum number of log files exceeded |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00063” |
|
15 |
Oracle DB |
ORA-00064: object is too large to allocate on this O/S |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 filter: - term: oracle.code: “ora-00064” |
|
16 |
Oracle DB |
ORA-12670: Incorrect role password |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12670” |
|
17 |
Oracle DB |
ORA-12672: Database logon failure |
oracle-* |
Filebeat |
Oracle Alert Log |
any |
timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12672” |
Paloalto devices SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Paloalto - Configuration changes failed |
Config changes Failed |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: CONFIG - term: result: Failed |
|||
2 |
Paloalto - Flood detected |
Flood detected via a Zone Protection profile |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: flood |
|||
3 |
Paloalto - Scan detected |
Scan detected via a Zone Protection profile |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: scan |
|||
4 |
Paloalto - Spyware detected |
Spyware detected via an Anti-Spyware profile |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: spyware |
|||
5 |
Paloalto - Unauthorized configuration changed |
Attepmted Unauthorized configuration changes |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: CONFIG - term: result: Unathorized |
|||
6 |
Paloalto - Virus detected |
Virus detected via an Antivirus profile. |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - terms: pan.subtype: [ “virus”, “wildfire-virus” ] |
|||
7 |
Paloalto - Vulnerability exploit detected |
Vulnerability exploit detected via a Vulnerability Protection profile |
paloalto-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: vulnerability |
Microsoft Exchange SIEM rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
MS Exchange |
Exchange - Increased amount of incoming emails |
exchange-* |
spike |
metric_agg_key: “exchange.network-message-id” metric_agg_type: “cardinality” doc_type: “_doc” max_threshold: 10 buffer_time: minutes: 1 filter: - query_string: query: “exchange.sender-address:*.company.com AND exchange.event-id:SEND AND exchange.message-subject:*” query_key: [“exchange.message-subject-agg”, “exchange.sender-address”] |
|||
2 |
MS Exchange |
Exchange - Internal sender sent email to public provider |
exchange-* |
whitelist |
metric_agg_key: “exchange.network-message-id” metric_agg_type: “cardinality” doc_type: “_doc” max_threshold: 10 buffer_time: minutes: 1 filter: - query_string: query: “NOT exchange.sender-address:(*@company.com) AND exchange.event-id:SEND AND exchange.message-subject:* AND NOT exchange.recipient-address:public@company.com” query_key: [“exchange.message-subject-agg”, “exchange.sender-address”] |
|||
3 |
MS Exchange |
Exchange - Internal sender sent ethe same title to many recipients |
exchange-* |
metric_aggregation |
filter: - query_string: query: “NOT exchange.recipient-address:public@company.com AND NOT exchange.sender-address:(*@company.com) AND exchange.event-id:SEND AND exchange.data.atch:[1 TO *] AND _exists_:exchange AND exchange.message-subject:(/.*invoice.*/ OR /.*payment.*/ OR /.*faktur.*/)” query_key: [“exchange.sender-address”] |
|||
4 |
MS Exchange |
Exchange - Received email with banned title |
exchange-* |
any |
threshold_ref: 5 timeframe: days: 1 spike_height: 3 spike_type: “up” alert_on_new_data: false use_count_query: true doc_type: _doc query_key: [“exchange.sender-address”] filter: - query_string: query: “NOT exchange.event-id:(DEFER OR RECEIVE OR AGENTINFO) AND _exists_:exchange” |
|||
5 |
MS Exchange |
Exchange - The same title to many recipients |
exchange-* |
metric_aggregation |
compare_key: “exchange.sender-address” ignore_null: true filter: - query_string: query: “NOT exchange.recipient-address:(*@company.com) AND _exists_:exchange.recipient-address AND exchange.event-id:AGENTINFO AND NOT exchange.sender-address:(bok@* OR postmaster@*) AND exchange.data.atch:[1 TO *] AND exchange.recipient-count:1 AND exchange.recipient-address:(*@gmail.com OR *@wp.pl OR *@o2.pl OR *@interia.pl OR *@op.pl OR *@onet.pl OR *@vp.pl OR *@tlen.pl OR *@onet.eu OR *@poczta.fm OR *@interia.eu OR *@hotmail.com OR *@gazeta.pl OR *@yahoo.com OR *@icloud.com OR *@outlook.com OR *@autograf.pl OR *@neostrada.pl OR *@vialex.pl OR *@go2.pl OR *@buziaczek.pl OR *@yahoo.pl OR *@post.pl OR *@wp.eu OR *@me.com OR *@yahoo.co.uk OR *@onet.com.pl OR *@tt.com.pl OR *@spoko.pl OR *@amorki.pl OR *@7dots.pl OR *@googlemail.com OR *@gmx.de OR *@upcpoczta.pl OR *@live.com OR *@piatka.pl OR *@opoczta.pl OR *@web.de OR *@protonmail.com OR *@poczta.pl OR *@hot.pl OR *@mail.ru OR *@yahoo.de OR *@gmail.pl OR *@02.pl OR *@int.pl OR *@adres.pl OR *@10g.pl OR *@ymail.com OR *@data.pl OR *@aol.com OR *@gmial.com OR *@hotmail.co.uk)” whitelist: - allowed@example.com - allowed@example2.com |
Juniper Devices SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Junos-IDS |
Juniper - IDS attact detection |
junos* |
JunOS devices with IDS module |
Syslog from Juniper devices |
Any |
filter: - query_string: query: “_exists_:attack-name” include: - attack-name |
|
2 |
Junos-IDS |
Junos - RT flow session deny |
junos* |
JunOS devices SRX, RT Fflow |
Syslog from Juniper devices |
Any |
filter: - query_string: query: “category:RT_FLOW AND subcat:RT_FLOW_SESSION_DENY” include: - srcip - dstip |
|
3 |
Junos-IDS |
Junos - RT flow reassemble fail |
junos* |
JunOS devices SRX, RT Fflow |
Syslog from Juniper devices |
Any |
filter: - query_string: query: “category:RT_FLOW AND subcat:FLOW_REASSEMBLE_FAIL” include: - srcip - dstip |
|
4 |
Junos-IDS |
Junos - RT flow mcast rpf fail |
junos* |
JunOS devices SRX, RT Fflow |
Syslog from Juniper devices |
Any |
filter: - query_string: query: “category:RT_FLOW AND subcat:FLOW_MCAST_RPF_FAIL” include: - srcip - dstip |
Fudo SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Fudo - General Error |
fudo* |
http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html |
Syslog FUDO |
Any |
filter: - query_string: query: “syslog_serverity:error” include: - fudo_message |
||
2 |
Fudo - Failed to authenticate using password |
fudo* |
http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html |
Syslog FUDO |
Any |
filter: - query_string: query: “fudo_code:FSE0634” include: - fudo_user |
||
3 |
Fudo - Unable to establish connection |
fudo* |
http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html |
Syslog FUDO |
Any |
filter: - query_string: query: “fudo_code:FSE0378” include: - fudo_connection - fudo_login |
||
4 |
Fudo - Authentication timeout |
fudo* |
http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html |
Syslog FUDO |
Any |
filter: - query_string: query: “fudo_code:FUE0081” |
Squid SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Squid |
Squid - Configuration file changed |
Modyfing squid.conf file |
syslog-* |
Audit module |
syslog |
any |
filter: - query_string: query: ‘message:”File /etc/squid/squid.conf checksum changed.”’ |
2 |
Squid |
Squid - Cannot open HTTP port |
Cannot open HTTP Port |
squid-* |
squid |
any |
filter: - query_string: query: ‘message:”Cannot open HTTP Port”’ |
|
3 |
Squid |
Squid - Unauthorized connection |
Unauthorized connection, blocked website entry |
squid-* |
squid |
any |
filter: - query_string: query: ‘squid_request_status:”TCP_DENIED/403”’ |
|
4 |
Squid |
Squid - Proxy server stopped |
Service stopped |
syslog-* |
syslog |
any |
filter: - query_string: query: ‘message:”Stopped Squid caching proxy.”’ |
|
5 |
Squid |
Squid - Proxy server started |
Service started |
syslog-* |
syslog |
any |
filter: - query_string: query: ‘message:”Started Squid caching proxy.”’ |
|
6 |
Squid |
Squid - Invalid request |
Invalid request |
squid-* |
squid |
any |
filter: - query_string: query: ‘squid_request_status:”error:invalid-request”’ |
McAfee SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Squid |
Squid - Configuration file changed |
Modyfing squid.conf file |
syslog-* |
Audit module |
syslog |
any |
filter: - query_string: query: ‘message:”File /etc/squid/squid.conf checksum changed.”’ |
2 |
Squid |
Squid - Cannot open HTTP port |
Cannot open HTTP Port |
squid-* |
squid |
any |
filter: - query_string: query: ‘message:”Cannot open HTTP Port”’ |
|
3 |
Squid |
Squid - Unauthorized connection |
Unauthorized connection, blocked website entry |
squid-* |
squid |
any |
filter: - query_string: query: ‘squid_request_status:”TCP_DENIED/403”’ |
|
4 |
Squid |
Squid - Proxy server stopped |
Service stopped |
syslog-* |
syslog |
any |
filter: - query_string: query: ‘message:”Stopped Squid caching proxy.”’ |
|
5 |
Squid |
Squid - Proxy server started |
Service started |
syslog-* |
syslog |
any |
filter: - query_string: query: ‘message:”Started Squid caching proxy.”’ |
|
6 |
Squid |
Squid - Invalid request |
Invalid request |
squid-* |
squid |
any |
filter: - query_string: query: ‘squid_request_status:”error:invalid-request”’ |
Microsoft DNS Server SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1. |
WINDOWS DNS |
WIN DNS - Format Error |
Format error; DNS server did not understand the update request |
prod-win-dns-* |
any |
timeframe: minutes: 15 filter: - term: dns.result: SERVFAIL |
||
2. |
WINDOWS DNS |
WIN DNS - DNS server internal error |
DNS server encountered an internal error, such as a forwarding timeout |
prod-win-dns-* |
any |
timeframe: - minutes: 15 filter: - term: dns.result: FORMERR |
||
3. |
WINDOWS DNS |
WIN DNS - DNS refuses to perform the update |
DNS server refuses to perform the update |
prod-win-dns-* |
any |
“timeframe: - minutes: 15 filter: - term: dns.result: REFUSED |
||
4. |
WINDOWS DNS |
WIN DNS - DNS Zone Deleted |
DNS Zone delete |
prod-win-dns-* |
any |
timeframe: minutes: 15 filter: - term: event.id: 513 |
||
5. |
WINDOWS DNS |
WIN DNS - DNS Record Deleted |
DNS Record Delete |
prod-win-dns-* |
any |
timeframe: minutes: 15 filter: - term: event.id: 516 |
||
6. |
WINDOWS DNS |
WIN DNS - DNS Node Deleted |
DNS Node Delete |
prod-win-dns-* |
any |
timeframe: minutes: 15 filter: - term: event.id: 518 |
||
7. |
WINDOWS DNS |
WIN DNS - DNS Remove Trust Point |
DNS Remove trust point |
prod-win-dns-* |
any |
timeframe: minutes: 15 filter: - term: event.id: 546 |
||
8. |
WINDOWS DNS |
WIN DNS - DNS Restart Server |
Restart Server |
prod-win-dns-* |
any |
timeframe: minutes: 15 filter: - term: event.id: 548 |
||
9. |
WINDOWS DNS |
WIN DNS - DNS Response failure |
Response Failure |
prod-win-dns-* |
frequency |
timeframe: minutes: 5 num_events: 20 filter: - term: event.id: 258 |
||
10. |
WINDOWS DNS |
WIN DNS - DNS Ignored Query |
Ignored Query |
prod-win-dns-* |
frequency |
timeframe: minutes: 5 num_events: 20 filter: - term: event.id: 259 |
||
11. |
WINDOWS DNS |
WIN DNS - DNS Recursive query timeout |
Recursive query timeout |
prod-win-dns-* |
frequency |
timeframe: minutes: 5 num_events: 20 filter: - term: event.id: 262 |
Microsoft DHCP SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Windows DHCP |
MS DHCP low disk space |
The log was temporarily paused due to low disk space. |
prod-win-dhcp-* |
any |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 02 |
||
2 |
Windows DHCP |
MS DHCP lease denied |
A lease was denied |
prod-win-dhcp-* |
frequency |
timeframe: minutes: 15 num_events: 10 filter: - terms: dhcp.event.id: [ “15”, “16” ] include: - dhcp.event.id - src.ip - src.mac - dhcp.event.descr summary_table_field: - src.ip - src.mac - dhcp.event.descr |
||
3 |
Windows DHCP |
MS DHCP update denied |
DNS update failed |
prod-win-dhcp-* |
frequency |
timeframe: minutes: 15 num_events: 50 filter: - term: dhcp.event.id: 31 |
||
4 |
Windows DHCP |
MS DHCP Data Corruption |
Detecting DHCP Jet Data Corruption |
prod-win-dhcp-* |
any |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1014 |
||
5 |
Windows DHCP |
MS DHCP service shutting down |
The DHCP service is shutting down due to the following error |
prod-win-dhcp-* |
any |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1008 |
||
6 |
Windows DHCP |
MS DHCP Service Failed to restore database |
The DHCP service failed to restore the database |
prod-win-dhcp-* |
any |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1018 |
||
7 |
Windows DHCP |
MS DHCP Service Failed to restore registry |
The DHCP service failed to restore the DHCP registry configuration |
prod-win-dhcp-* |
any |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1019 |
||
8 |
Windows DHCP |
MS DHCP Can not find domain |
The DHCP/BINL service on the local machine encountered an error while trying to find the domain of the local machine |
prod-win-dhcp-* |
frequency |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1049 |
||
9 |
Windows DHCP |
MS DHCP Network Failure |
The DHCP/BINL service on the local machine encountered a network error |
prod-win-dhcp-* |
frequency |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1050 |
||
10 |
Windows DHCP |
MS DHCP - There are no IP addresses available for lease |
There are no IP addresses available for lease in the scope or superscope |
prod-win-dhcp-* |
any |
timeframe: minutes: 15 filter: - term: dhcp.event.id: 1063 |
Linux DHCP Server SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
DHCP Linux |
DHCP Linux - Too many requests |
Too many DHCP requests |
syslog-* |
Linux DHCP Server / Syslog |
frequency |
query_key: “src_mac” num_events: 30 timeframe: minutes: 1 filter: - query_string: query: “DHCPREQUEST” use_count_query: true doc_type: doc |
|
2 |
DHCP Linux |
DHCP Linux - IP already assigned |
IP is already assigned to another client |
syslog-* |
Linux DHCP Server / Syslog |
any |
filter: - query_string: query: “DHCPNAK” |
|
3 |
DHCP Linux |
DHCP Linux - Discover flood |
DHCP Discover flood |
syslog-* |
Linux DHCP Server / Syslog |
frequency |
query_key: “src_mac” num_events: 30 timeframe: minutes: 1 filter: - query_string: query: “DHCPDISCOVER” use_count_query: true doc_type: doc |
Cisco VPN devices SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Cisco IOS - Cisco VPN Concentrator |
CiscoVPN - VPN authentication failed |
Jan 8 09:10:37 vpn.example.com 11504 01/08/2007 09:10:37.780 SEV=3 AUTH/5 RPT=124 192.168.0.1 Authentication rejected: Reason = Unspecified handle = 805, server = auth.example.com, user = testuser, domain = <not specified> |
cisco* |
any |
filter: - query_string: query: “cisco.id:("AUTH\/5" OR "AUTH\/9" OR "IKE\/167" OR "PPP\/9" OR "SSH\/33" OR "PSH\/23")” |
||
2 |
Cisco IOS - Cisco VPN Concentrator |
CiscoVPN - VPN authentication successful |
jw. |
cisco* |
any |
filter: - query_string: query: “cisco.id:("IKE\/52")” |
||
3 |
Cisco IOS - Cisco VPN Concentrator |
CiscoVPN - VPN Admin authentication successful |
jw. |
cisco* |
any |
filter: - query_string: query: “cisco.id:("HTTP\/47" OR "SSH\/16")” |
||
4 |
Cisco IOS - Cisco VPN Concentrator |
CiscoVPN - Multiple VPN authentication failures |
jw. |
cisco* |
frequency |
query_key: “src.ip” num_events: 10 timeframe: minutes: 240 filter: - query_string: query: “cisco.id:("AUTH\/5" OR "AUTH\/9" OR "IKE\/167" OR "PPP\/9" OR "SSH\/33" OR "PSH\/23")” |
||
5 |
Cisco IOS - Cisco ASA |
Cisco ASA - VPN authentication failed |
jw. |
cisco* |
any |
filter: - query_string: query: “cisco.id:"\%ASA-6-113005"” |
||
6 |
Cisco IOS - Cisco ASA |
Cisco ASA - VPN authentication successful |
jw. |
cisco* |
any |
filter: - query_string: query: “cisco.id:"\%ASA-6-113004"” |
||
7 |
Cisco IOS - Cisco ASA |
Cisco ASA - VPN user locked out |
jw. |
cisco* |
any |
filter: - query_string: query: “cisco.id:"\%ASA-6-113006"” |
||
8 |
Cisco IOS - Cisco ASA |
Cisco ASA - Multiple VPN authentication failed |
jw. |
cisco* |
frequency |
query_key: “src.ip” num_events: 10 timeframe: minutes: 240 filter: - query_string: query: “cisco.id:"\%ASA-6-113005"” |
Netflow SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Netflow - DNS traffic abnormal |
stream-* |
spike |
threshold_ref: 1000 spike_height: 4 spike_type: up timeframe: hours: 2 filter: - query: query_string: query: “netflow.dst.port:53” query_key: [netflow.src.ip] use_count_query: true doc_type: “doc” |
||||
2 |
Netflow - ICMP larger than 64b |
stream-* |
any |
filter: - query: query_string: query: “netflow.protocol: 1 AND netflow.packet_bytes:>64” query_key: “netflow.dst_addr” use_count_query: true doc_type: “doc” |
||||
3 |
Netflow - Port scan |
stream-* |
cardinality |
timeframe: minutes: 5 max_cardinality: 100 query_key: [netflow.src.ip, netflow.dst.ip] cardinality_field: “netflow.dst.port” filter: - query: query_string: query: “_exists_:(netflow.dst.ip AND netflow.src.ip) NOT netflow.dst.port: (443 OR 80)” aggregation: minutes: 5 aggregation_key: netflow.src.ip |
||||
4 |
Netflow - SMB traffic |
stream-* |
any |
filter: - query: query_string: query: “netflow.dst.port:(137 OR 138 OR 445 OR 139)” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc” |
||||
5 |
Netflow - Too many req to port 161 |
stream-* |
frequency |
num_events: 60 timeframe: minutes: 1 filter: - query: query_string: query: “netflow.dst.port:161” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc” |
||||
6 |
Netflow - Too many req to port 25 |
stream-* |
frequency |
num_events: 60 timeframe: minutes: 1 filter: - query: query_string: query: “netflow.dst.port:25” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc” |
||||
7 |
Netflow - Too many req to port 53 |
stream-* |
frequency |
num_events: 120 timeframe: minutes: 1 filter: - query: query_string: query: “netflow.dst.port:53” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc” |
||||
8 |
Netflow – Multiple connections from source badip |
stream-* |
frequency |
num_events: 10 timeframe: minutes: 5 filter: - query: query_string: query: “netflow.src.badip:true” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc” |
||||
9 |
Netflow – Multiple connections to destination badip |
stream-* |
frequency |
num_events: 10 timeframe: minutes: 5 filter: - query: query_string: query: “netflow.dst.badip:true” query_key: “netflow.dst.ip” use_count_query: true doc_type: “doc” |
MikroTik devices SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
All system errors |
any |
alert_text_type: alert_text_only alert_text: “System error\n\n When: {}\n Device IP: {}\n From: {}\n\n{}\n” alert_text_args: - timestamp_timezone - host - login.ip - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “topic2:error and topic3:critical” |
|||||
2 |
All errors connected with logins to the administrative interface of the device eg wrong password or wrong login name |
any |
alert_text_type: alert_text_only alert_text: “Login error\n\n When: {}\n Device IP: {}\n From: {}\n by: {}\n to account: {}\n\n{}\n” alert_text_args: - timestamp_timezone - host - login.ip - login.method - user - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “topic2:error and topic3:critical and login.status:login failure” |
|||||
3 |
All errors connected with wireless eg device is banned on access list, or device had poor signal on AP and was disconected |
any |
alert_text_type: alert_text_only alert_text: “Wifi auth issue\n\n When: {}\n Device IP: {}\n Interface: {}\n MAC: {}\n ACL info: {}\n\n{}\n” alert_text_args: - timestamp_timezone - host - interface - wlan.mac - wlan.ACL - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “wlan.status:reject or wlan.action:banned” |
|||||
4 |
Dhcp offering fail |
any |
alert_text_type: alert_text_only alert_text: “Dhcp offering fail\n\n When: {}\n Client lease: {}\n for MAC: {}\n to MAC: {}\n\n{}\n” alert_text_args: - timestamp_timezone - dhcp.ip - dhcp.mac - dhcp.mac2 - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “dhcp.status:without success” |
Microsoft SQL Server SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
Logon errors, alert any |
Rule definition alert_text_type: alert_text_only alert_text: “Logon error\n\n When: {}\n Error code: {}\n Severity: {}\n\n{}\n” alert_text_args: - timestamp_timezone - mssql.error.code - mssql.error.severity - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.error.code:* and mssql.error.severity:*” |
||||||
2 |
Login failed for users, alert any |
alert_text_type: alert_text_only alert_text: “Login failed\n\n When: {}\n User login: {}\n Reason: {}\n Client: {}\n\n{}\n” alert_text_args: - timestamp_timezone - mssql.login.user - mssql.error.reason - mssql.error.client - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.login.status:failed and mssql.login.user:*” |
||||||
3 |
server is going down, alert any |
alert_text_type: alert_text_only alert_text: “Server is going down\n\n When: {}\n\n{}\n” alert_text_args: - timestamp_timezone - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.server.status:shutdown” |
||||||
4 |
NET stopped, alert any |
alert_text_type: alert_text_only alert_text: “NET Framework runtime has been stopped.\n\n When: {}\n\n{}\n” alert_text_args: - timestamp_timezone - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.net.status:stopped” |
||||||
5 |
Database Mirroring stopped, alert any |
alert_text_type: alert_text_only alert_text: “Database Mirroring endpoint is in stopped state.\n\n When: {}\n\n{}\n” alert_text_args: - timestamp_timezone - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.db.status:stopped” |
Postgress SQL SIEM Rules¶
Nr. |
Architecture/Application |
Rule Name |
Description |
Index name |
Requirements |
Source |
Rule type |
Rule definition |
1 |
PostgreSQL |
PostgresSQL - New user created |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: CREATE USER”’ |
|
2 |
PostgreSQL |
PostgresSQL - User selected database |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: SELECT d.datname FROM pg_catalog.pg_database”’ |
|
3 |
PostgreSQL |
PostgresSQL - User password changed |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”ALTER USER WITH PASSWORD”’ |
|
4 |
PostgreSQL |
PostgreSQL - Multiple authentication failures |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
frequency |
query_key: “src_ip” num_events: 5 timeframe: seconds: 25 filter: - query_string: query: ‘message:”FATAL: password authentication failed for user”’ use_count_query: true doc_type: doc |
|
5 |
PostgreSQL |
PostgreSQL - Granted all privileges to user |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: GRANT ALL PRIVILEGES ON”’ |
|
6 |
PostgreSQL |
PostgresSQL - User displayed users table |
User displayed users table |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: SELECT r.rolname FROM pg_catalog.pg_roles”’ |
7 |
PostgreSQL |
PostgresSQL - New database created |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: CREATE DATABASE”’ |
|
8 |
PostgreSQL |
PostgresSQL - Database shutdown |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: database system was shut down at”’ |
|
9 |
PostgreSQL |
PostgresSQL - New role created |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: CREATE ROLE”’ |
|
10 |
PostgreSQL |
PostgresSQL - User deleted |
postgres-* |
Filebeat, Logstash, PostgreSQL |
pg_log |
any |
filter: - query_string: query: ‘message:”LOG: DROP USER”’ |
MySQL SIEM Rules¶
Nr. | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Rule type | Rule definition |
---|---|---|---|---|---|---|---|---|
1 |
MySQL |
MySQL - User created |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”CREATE USER”’ |
|
2 |
MySQL |
MySQL - User selected database |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”Query show databases”’ |
|
3 |
MySQL |
MySQL - Table dropped |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”Query drop table”’ |
|
4 |
MySQL |
MySQL - User password changed |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”UPDATE mysql.user SET Password=PASSWORD” OR message:”SET PASSWORD FOR” OR message:”ALTER USER”’ |
|
5 |
MySQL |
MySQL - Multiple authentication failures |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
frequency |
query_key: “src_ip” num_events: 5 timeframe: seconds: 25 filter: - query_string: query: ‘message:”Access denied for user”’ use_count_query: true doc_type: doc |
|
6 |
MySQL |
MySQL - All priviliges to user granted |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”GRANT ALL PRIVILEGES ON”’ |
|
7 |
MySQL |
MySQL - User displayed users table |
User displayed users table |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”Query select * from user”’ |
8 |
MySQL |
MySQL - New database created |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”Query create database”’ |
|
9 |
MySQL |
MySQL - New table created |
mysql-* |
Filebeat, Logstash, MySQL |
mysql-general.log |
any |
filter: - query_string: query: ‘message:”Query create table”’ |