Rather than 3 different rules that check for east-west or north-south traffic. I want to have a single rule that shows the direction of attack - "internal", "inbound", "outbound"
I want to have a variable in outcome section that shows me these information basis on the list of internal network eg. %internal_ranges.
Is it feasible? Yes, How?
I tried multiple approaches but all are throwing one or different type of errors.
Thanks in Advance.
+5The way I think of solving a problem like this is "Can I see X in events?" where X is some set of conditions that show the activity I want. Once that evaluation is true, you tell the Outcome variables what you want. Now the thing is, you're not looking for one thing to be true, but one of three things to be true. Can you evaluate this in a single rule? Let's assume so, but can you do so *cleanly* by which I mean that internal traffic never looks like inbound traffic, which never looks like outbound traffic?
If you can, Outcome variables are still really easy to set. Either you statically set the condition, or you look at the state of some other UDM field and set the Outcome variable to that.
It's really hard to say anything further when your network logs are all abstract. I did something similar to what you wanted, in concept, using DLP logs from Chrome:
rule Chrome_Browser_DLP_Warn_Alert {
meta:
author = "GK"
description = "Reports sensitive data event where a user allowed the event"
severity = "High"
events:
$security.metadata.product_name = "Chrome Management"
$security.metadata.product_event_type = "sensitiveDataEvent"
$security.security_result.action_details = "EVENT_RESULT_BYPASSED"
$security.security_result.rule_name != ""
$security.principal.user.email_addresses = $userid
$security.security_result.about.labels.value = $direction
$security.target.url = $url
$security.target.file.full_path = $local_file
match:
$userid over 5m
outcome:
$target_url = array_distinct($url)
$Local_file = array_distinct($local_file)
$Action = array_distinct($direction)
$risk_score = max(
if ($security.security_result.about.labels.value = "", 10) +
if ($security.security_result.about.labels.value = "Trigged by: FILE DOWNLOAD", 25) +
if ($security.security_result.about.labels.value = "Trigged by: FILE UPLOAD", 50)
)
condition:
$security
}
I think of your question of the Internal/Inbound/Outbound to be akin to what I'm assigning to the $direction variable. I do two things with it - I look for a file upload or download and assign higher risk scores (anything else goes to a default of 10). Then I outright list the value in the outcome variable $Action. That produces results like this in my detections:
This is an easier rule to implement than what you're describing because it's using one source and that one source has already identified the thing I'm looking for (movement of sensitive data). You're talking about Network data, which probably comes from different logs, and the concept of principal and target change in relation to the device generating the question (a principal IP can be a remote user if you're looking at WAF logs, but an internal user when your'e looking at firewall logs). Context becomes key.
Hope this helps.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
