Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Is your feature request related to a problem?
I can't come up with a nice and easy way to build aggregated alerts within the securty-analytics plugin. I am talking about alerts like Multiple failed logins for user XY or alike.
I know there are Correlation Rules but they do not refer to detection rules as base, but rather use own queries to correlate findings between sources.
Why is that? I would like to say: "If detection rule X has followed on detection rule Y in a timespan of 10min and field username is same, create a more severe alert".
Sigma has the possibility of writing Correlations, directly in yaml, which would be super nice to have in the security-analytics plugin. They call this "Meta Rules". This would be super handy for the security-analytics plugin.
What solution would you like?
I would like to be able to use Correlations as defined by Sigma within the syntax/ yaml structure of a detection rule. This would allow me to have rules and aggregations in the same place (see additional context for more information).
What alternatives have you considered?
An obvious alternative would be to use the good old Alerting plugin directly, to achieve these kind of aggregated/correlated alerts. But this would require to use another syntax (json) in another place (alerting) to achieve a functionality that i would expect in the SIEM itself, referring to the security analytics plugin.
Do you have any additional context?
A detection rule with correlation according to Sigma could look like the following, where a failed logon from Google Workspace is taken as example. Both yaml declarations for the detection rule and the correlation rule are located in the same file, separated by --- :
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
logsource:
product: gworkspace
title: Google Workspace Login failed
description: >-
A user attempted to log in to a Google workspace account without success.
Check the event parameters login_failure_type and login_challenge_method for
more information.
tags: []
falsepositives:
- A user has entered a wrong password.
level: high
status: test
references:
- >-
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#login_failure
author: pr3l14t0r
detection:
condition: Selection_1
Selection_1:
event.name|contains:
- login_failure
---
title: Multiple failed logons for a single user (possible brute force attack)
status: test
correlation:
type: event_count
rules:
- 25b9c01c-350d-4b95-bed1-836d04a4f324
group-by:
- event.name
timespan: 15m
condition:
gte: 3
tags:
- brute_force
- attack.t1110
Outro
Maybe there's already a solution for my question, yet i did not find something in the documentation of security-analytics. If there's something and i am just too stupid to see or find it, please guard me into the right direction! :)
Is your feature request related to a problem? I can't come up with a nice and easy way to build aggregated alerts within the securty-analytics plugin. I am talking about alerts like
Multiple failed logins for user XY
or alike. I know there areCorrelation Rules
but they do not refer to detection rules as base, but rather use own queries to correlate findings between sources. Why is that? I would like to say: "If detection rule X has followed on detection rule Y in a timespan of 10min and fieldusername
is same, create a more severe alert".Sigma has the possibility of writing Correlations, directly in yaml, which would be super nice to have in the security-analytics plugin. They call this "Meta Rules". This would be super handy for the security-analytics plugin.
What solution would you like? I would like to be able to use Correlations as defined by Sigma within the syntax/ yaml structure of a detection rule. This would allow me to have rules and aggregations in the same place (see additional context for more information).
What alternatives have you considered? An obvious alternative would be to use the good old
Alerting
plugin directly, to achieve these kind of aggregated/correlated alerts. But this would require to use another syntax (json) in another place (alerting) to achieve a functionality that i would expect in the SIEM itself, referring to the security analytics plugin.Do you have any additional context? A detection rule with correlation according to Sigma could look like the following, where a failed logon from Google Workspace is taken as example. Both yaml declarations for the detection rule and the correlation rule are located in the same file, separated by
---
:Outro
Maybe there's already a solution for my question, yet i did not find something in the documentation of security-analytics. If there's something and i am just too stupid to see or find it, please guard me into the right direction! :)