There are 20 Critical assets, if there are any alerts for these hosts, it has to been responded with priority compared to others. How can we implement this?
In simple terms how can i have dynamic priority for chronicle alerts based on criticality of the host , can some one help me with a simple example
@jstoner @cmmartin_google :Any suggestions or guidance
Page 1 / 1
Something that is more easily creatable within a playbook. If you only have the SIEM capabilities, you could look into doing this by having a look at the udm field you're trying to match these hosts again (for example principal.hostname), and store a reference list with these hosts, if there are any underlying events within the alert that matches, to increment the risk score to xxx. The below should work
rule Risk_Score_Increment {
meta:
author = "Ayman C"
description = "Risk score increment"
severity = "Low"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.principal.hostname = $host
match:
$host over 1h
outcome:
$risk_score = max(
if ($host in %admin_list , 100)
)
condition:
$e
}In standalone SIEM there is the ability for an analyst to set a priority manually. The idea of using a list for the subset of assets is one method and increment your risk score accordingly is a nice way to incorporate risk into the detection.
As @AymanC said the playbook method is also very valid and your playbook could have an action to look at the info coming from the alert and set the priority there and that works nicely as well.
You could also incorporate some level of criticality into the asset within the entity graph so that information is already in the graph so you don't have to create a list. That does require a little more of a lift but something else to consider. Even better getting that field into some place where it is enriched into the UDM event also won't require the rule to join to the entity graph, keeping the rule a bit lighter weight.
Something that is more easily creatable within a playbook. If you only have the SIEM capabilities, you could look into doing this by having a look at the udm field you're trying to match these hosts again (for example principal.hostname), and store a reference list with these hosts, if there are any underlying events within the alert that matches, to increment the risk score to xxx. The below should work
rule Risk_Score_Increment {
meta:
author = "Ayman C"
description = "Risk score increment"
severity = "Low"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.principal.hostname = $host
match:
$host over 1h
outcome:
$risk_score = max(
if ($host in %admin_list , 100)
)
condition:
$e
}@AymanC just one doubt since i will be not sure which field the critical resource will be captured can i mention it as
$e.principal.hostname= $host
$e.target.hostname = $host
Then use the same outcome section
Also does risk score modify the priority of alert?
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.