Creating Correlation custom rules with the Correlation Rule Builder

EventLog Analyzer comes equipped with a custom correlation rule builder, which allows you to form custom rules easily by combining various network actions, and specifying the threshold limits and filter criteria as per expected attack patterns in your organization. This enables you to create a highly flexible and powerful rule set that suits your specific organizational environment.

To open the correlation rule builder, click on the Correlation tab of the product. Click on Manage Rules on the top right of the tab and select +Create Correlation Rule on the top right. Creating a custom rule involves:

To know more about what correlation is, how correlation rules are structured, and more, see Understanding correlation.

To create correlation rules, select one or more actions from the following groups:

• General Events
• MITRE ATT&CK TTP(S)
• Custom Actions

Building a new rule

To build a new rule, follow the below steps:

1. Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.
   • You can also search for actions using the search bar on top of the list.
   • You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon () on its right.
   • To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and enter the number of occurrences and time interval.
2. For each action, specify the time interval within which it is to be followed by the next action, under the 'Followed by within' label. You can specify the time interval in seconds or minutes by using the provided dropdown.
3. To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.

Advanced options

Each action in a correlation rule corresponds to a log. Logs contain various fields, and each field has a specific value. With advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the log/action, specify a threshold limit on the minimum number of repetitions of the action, and also bunch the filter criteria into groups, which can be used to create rules for complex scenarios.

1. You can select a filter field from the dropdown list provided. It is to be noted that the filters provided in the dropdown may vary based on the action selected.
2. From the dropdown list provided, you can select the comparison type as one among the following: equals, contains, starts with, ends with, less than, greater than, between, is malicious, not equals, not contains, not starts with, not ends with, not between, link to, is constant, or is variable.
   Note: When you provide more than one value for an equals comparison, the set of values provided are treated as a list of possible values and the action is accepted if any one value from the list is true. The same holds true for the contains, starts with, ends with, less than, greater than, and between comparisons.

   When you provide more than one not equals comparison, the set of values provided need to hold true for the action to be accepted. The same holds true for the not contains, not starts with, not ends with, and not between comparisons.

   Less than, greater than, between, and not between conditions are applicable only for IP, port number, and privilege fields.

   Port range is between 0 and 65535.

   Privilege range is between 1 and 15.

   Link to

   The link to comparison type is used to check the value of the selected field against the value of a field in another action (belonging to the same rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the same.

   When you choose link to, the  icon appears at the end of the filter. Clicking on the icon will present a new tab.

   

   Click the check box corresponding to the field of the second action against which you want to compare the value of the previous action. Click OK to complete linking the two actions.

   Note: Using the link to condition, you cannot link a field to another one having the is variable condition.

   Is constant

   The is constant condition is used to treat the specific field as constant. When you select this condition, this action will get triggered when the field's value remains constant in all the iterations. For instance, if the is variable condition is applied for the 'Target User' field in an action, the action would get triggered when the value of this field is the same in all iterations. The action doesn't get triggered if events get generated with different values for that field.

   Is variable

   The 'is variable' condition is used to treat a field as a variable. When you select this condition, this action will get triggered when the field's value keeps changing each time it is checked. For instance, if the is variable condition is applied for the 'Target User' field in an action, the action would get triggered when the value of the field is different in each iteration.

   Note: A field having the is variable condition cannot be linked to another one using the link to condition.

   Is malicious

   The 'is malicious' condition is available only for IP address fields. It can be used to check if the detected IP address is present in the predefined list of malicious IP addresses that the product has stored in the internal database.

3. Values which are to be compared against the selected field can be provided directly in the textbox. Specify the value to be checked for, in the corresponding textbox.

1. To add another filter to the same log/action, click the  icon on the right side of the value textbox. The new filter gets added on the next line.
   • You can choose if the two filters are to be logically ANDed or ORed with the previous one, by selecting AND or OR from the dropdown list present on the left side of the second filter.
   • You can delete a filter by clicking on the  icon on its right.
   
2. Filters can be collected together by creating groups. This would help to create correlation rules for complex scenarios. To create a new group, click +Add group on the bottom right corner of a log/action.
   • Select the criteria for the filter in the new group. You can also add more filters to the new group.
   • You can delete a group by clicking the Remove group icon on the top right of the group.
3. You can choose if two groups are to be logically ANDed or ORed, by selecting AND or OR from the dropdown list present between the two groups.

Using vulnerability and misconfiguration comparators:

These comparators are available only after successful integration with Endpoint Central and can be used with device fields.

• Is Vulnerable: Check if a device is tagged as vulnerable in Endpoint Central.
• Vulnerable To: Identify devices vulnerable to specific attacks (e.g., CVE-2023-38831).
• Misconfigured For: Detect devices with misconfigurations identified by Endpoint Central (e.g., Windows Credential Guard disabled).

Note: To utilize the vulnerability and misconfiguration comparators, please configure data enrichment for ManageEngine Endpoint Central. Click here to know how.

Threshold limit filter

A threshold limit filter for an action allows you to specify the minimum number of times the action has to occur (within the time window specified for the action to follow from the previous action), for the rule to be triggered. To set a threshold limit, click on the Filters link on the right of the action, and select the Threshold Limit checkbox. In the text box provided, specify the minimum number of occurrences.

Specifying rule configurations

Along with the rule definition, you can also provide some descriptive information to finish configuring the rule:

• Rule name: A unique name for the rule.
• Rule description: A short explanation describing the attack pattern that the rule checks for.

Click Save to save these rule configurations.

Once you have built the rule pattern and specified the configurations, click Create so that the rule gets saved and EventLog Analyzer can start correlating logs to check for this rule pattern.

You can now choose what report will be displayed by clicking on the check box. The selected report will be displayed or hidden from the Correlation Custom Rules Screen.

Create Custom Action

• To create a Custom Action, click on Manage Custom Actions.
• The manage custom actions popup will open. In the top right corner, click on the "create new action" button.

• The Create Custom Action popup will open.
• Enter the name for the action, action description (if required).
• Choose from the drop downs provided to set the criteria for the action.
• Click on Create.

MITRE Correlation Actions

You can now create correlation rules utilizing the available correlation actions for Mitre ATT&CK TTP(s).

Click here to know more about MITRE ATT&CK TTP(s).

Best practices to be followed while creating correlation rules

Correlation reports are crucial for enhancing an organization's security posture since they provide insight into potential security issues. They also help you identify patterns of malicious activity, and facilitate timely response actions. Here are some best practices for creating correlation rules..

• Make sure that you only enable the rules that the organization requires.
• Depending on the logs obtained, each rule may operate differently in each organization. So, make sure to enable the rules in batches, and then watch the behavior of that particular set of rules in that batch and identify the rules that are actually required. Depending on the requirement, the rules can be fine-tuned to reduce false positives.
• Multi-event correlation rules are typically set up by adding various conditions (action, threshold, advanced operators) into them. The number of logs that match each correlation condition determines the amount of resources required. The larger the matched data set, the more resources required, resulting in increased memory utilization. Ensure the criteria you specify is constrained to reduce the dataset used for analysis; this will limit the memory usage.
• Make sure to monitor the memory utilized by each correlation rule. By determining the memory utilization of each rule, the rules can be fine-tuned for improved efficiency.The correlation memory usage can be monitored by navigating to Settings -> System Diagnostics -> System Info -> View report in correlation information.

Correlation use cases

1. Spearphishing:

An attacker targets an individual by delivering malicious Excel files pretending to be a legitimate file via email. When the victim opens the file, it will run a macro and launche a malicious process capable of doing destructive activities.

• Event sequence: Excel document spawning a process and large number of file deletions by the same process.
• Threshold: 100 file deletions within 30 minutes.

2. Port scanning attack:

Attackers perform port scanning attacks to identify the weak points in a network.

• Event Sequence: A large number of traffic events to multiple ports from the same IP are identified within a short span of time.
• Threshold: 1000 different ports within 5 mins.

3. Password spraying attack:

An attacker attempts to access multiple accounts using a few commonly used passwords rather than trying different passwords against a single account.

• Event Sequence: Large number of login failed events across multiple devices attempted from the same device within a short span of time.
• Threshold: 100 events from the same IP.

4. Impossible travel:

A security alert is triggered when a user's account is accessed from two geographically distant locations within a timeframe that is shorter than the possible time frame between those locations. This condition implies that it's highly unlikely (or impossible) for the same user to have made both access attempts, indicating a potential security breach or account compromise.

• Event Sequence: Login attempts made to an account in the same device from different countries within a specified time frame, i.e., the username and device name would be the same but the country would be different.
• Threshold: 10 events within 10 mins.

5. Data exfiltration to malicious IP address:

A malicious program exfiltrates data to a malicious IP address which is identifiedby threat analytics.

• Event sequence: More than 100 network connections identified as malicious within 5 mins.
• Threshold: 100 times within 5 mins.