Many imagine Security Operations Center (SOC) analysts as modern-day ‘Neo’ from ‘The Matrix,’ deciphering cascades of streaming data on glowing screens. However, the reality is quite different. SOC analysts dedicate their days to a meticulous task—sorting through alerts, triaging them, and launching investigations into potential security threats.
These alerts arrive from a myriad of security tools, including email security solutions, endpoint protection systems, firewalls, and, most notably, Security Information and Event Management (SIEM) platforms. In most SOCs, all alerts and logs converge into the SIEM, making it the central nervous system for security monitoring. Here, analysts receive their marching orders, as these alerts are meticulously prioritized and addressed based on urgency and timing to safeguard the organization.
The efficacy of SOC analysts in defending an organization heavily relies on the quality of correlation rules within the SIEM. If there’s no rule to detect a specific threat pattern, the likelihood of receiving an alert decreases. Conversely, poorly written rules can lead to false positives—distracting analysts with non-threats—or, even worse, false negatives, where genuine threats slip through undetected.
This article delves into the intricate world of SIEM detections, shedding light on the essential log sources and pseudocode logic used to create them. As you’ll discover, SIEM detections often require multiple log sources to effectively uncover a wide range of security incidents. Let’s dive in and explore the critical components that empower SOC analysts to keep their organizations secure.”
Certainly, let’s provide detailed pseudocode logic for all ten SIEM detections, along with the required log sources and examples of technologies or products where applicable:
Sample SIEM Detection Rules
Multiple Failed Login Attempts
Pseudocode Logic:
pseudocode IF (count of failed login events for a specific user or IP address > threshold) AND (time frame < specified duration) AND (authentication method is a standard username/password) THEN Trigger alert for multiple failed login attemptsExplanation:
- Log Source: Authentication logs (e.g., Windows Active Directory, LDAP)
- Example Technology: Windows Server with Active Directory
- Example Scenario: Detect repeated failed login attempts for a user account within a 5-minute window, using a standard username and password.
Inbound Port Scanning
Pseudocode Logic:
pseudocode IF (multiple connection attempts to different ports on a single host from the same IP address) AND (time frame < specified duration) THEN Trigger alert for port scanningExplanation:
- Log Source: Network logs (e.g., Firewall, IDS/IPS)
- Example Technology: Cisco ASA Firewall
- Example Scenario: Identify multiple rapid connection attempts to various ports on a single server within a 1-minute window.
Multiple Machines Malware Infection
Pseudocode Logic:
pseudocode IF (multiple machines exhibit similar patterns of unusual file activity) AND (time frame < specified duration) THEN Trigger alert for potential malware infection across multiple machines- Explanation:
- Log Sources: Endpoint logs (e.g., EDR solutions like SentinelOne)
- Example Technology: SentinelOne Endpoint Detection and Response (EDR)
- Example Scenario: Detect similar patterns of file encryption across multiple workstations within a 15-minute window.
Data Exfiltration – Large File Transfer Detected
Pseudocode Logic:
pseudocode IF (size of data transfer > threshold) AND (data transfer to external destination) THEN Trigger alert for potential data exfiltration- Explanation:
- Log Sources: Network traffic logs (e.g., Palo Alto Firewall, Cisco ASA Firewall)
- Example Technology: Palo Alto Next-Generation Firewall
- Example Scenario: Identify outbound traffic with data transfer exceeding 100MB to external IP addresses within a 30-minute window.
Unauthorized Access Attempt – Privilege Escalation Attempt
Pseudocode Logic:
pseudocode IF (failed login attempts to privileged accounts) AND (time frame < specified duration) AND (authentication method is not MFA) THEN Trigger alert for unauthorized access attempt with privilege escalation- Explanation:
- Log Source: Active Directory logs
- Example Technology: Microsoft Active Directory
- Example Scenario: Detect multiple failed login attempts targeting domain admin accounts within a 10-minute window, excluding multi-factor authentication (MFA) attempts.
DDoS Detection
Pseudocode Logic:
pseudocode IF (abnormal spike in incoming traffic) AND (multiple IP sources) THEN Trigger alert for potential DDoS attack- Explanation:
- Log Sources: Network traffic logs (e.g., Arbor Networks DDoS Detection)
- Example Technology: Arbor Networks DDoS Detection System
- Example Scenario: Monitor for a sudden 10x increase in incoming traffic from multiple IP sources within a 1-minute window.
SQL Injection Detected
Pseudocode Logic:
pseudocode IF (SQL injection patterns detected in HTTP requests) THEN Trigger alert for potential SQL injection attempt- Explanation:
- Log Source: Web server logs (e.g., Apache, Nginx)
- Example Technology: Apache HTTP Server
- Example Scenario: Look for common SQL injection patterns in HTTP GET or POST requests.
Anomalous Outbound Traffic – C2 Detection
Pseudocode Logic:
pseudocode IF (outbound traffic to known Command and Control servers) THEN Trigger alert for potential Command and Control (C2) traffic- Explanation:
- Log Sources: Firewall logs, DNS logs
- Example Technology: Cisco ASA Firewall, DNS server
- Example Scenario: Detect outbound traffic to IP addresses associated with known C2 servers.
Impossible Geographical Travel
Pseudocode Logic:
pseudocode IF (user logs in from multiple geographically distant locations within a short time frame) THEN Trigger alert for impossible geographical travel- Explanation:
- Log Source: Authentication logs (e.g., VPN server)
- Example Technology: Cisco AnyConnect VPN
- Example Scenario: Identify a user logging in from New York and then, within 10 minutes, from Tokyo.
Invalid Certificate Detected
Pseudocode Logic:
pseudocode IF (invalid or expired SSL/TLS certificate detected) THEN Trigger alert for invalid certificate- Explanation:
- Log Source: Web server logs (e.g., Apache, Nginx)
- Example Technology: Nginx Web Server
- Example Scenario: Detect when a website presents an expired SSL/TLS certificate during the SSL handshake
In conclusion,
we’ve unraveled the intricacies of SIEM detections and their pivotal role in bolstering an organization’s cybersecurity defenses. These detections, often likened to clues in an investigation, are the frontline guardians that safeguard digital fortresses against relentless cyber threats. But their potency goes beyond mere alerts—they serve as the foundation for well-crafted playbooks that guide Security Operations Center (SOC) analysts in their quest to protect their organizations.
Actionable Takeaways for Aspiring Cyber Defenders:
- Create Playbooks for Every Detection: Just as every SIEM detection deserves attention, each one should have a corresponding playbook. Playbooks serve as your roadmap for efficient incident investigation and containment. When creating playbooks, consider real-world scenarios. For example, if your SIEM detects ‘Multiple Failed Login Attempts,’ your playbook could outline steps like account lockout, password reset, and threat investigation.
- Correlate Rules with Playbooks: Dive back into the world of playbooks and consider the correlation rules required to detect incidents outlined in those playbooks. For instance, if your playbook addresses ‘Data Exfiltration,’ think about the correlation rules necessary to spot unusual data transfers or suspicious outbound traffic.
- Every Detection is a Clue: Remember that SIEM detections are your digital detectives. While false positives are a possibility, most detections are indicators of potential security risks demanding your attention. Think of them as your early warning system, alerting you to threats in real-time or evidence of past or ongoing attacks.
- Cover the Entire Kill Chain: Effective cybersecurity requires comprehensive coverage. Ensure your detections span various stages of the cyber kill chain, from initial reconnaissance to data exfiltration. By doing so, you increase your chances of early threat detection and mitigation.
- Refer to the MITRE ATT&CK Framework: The MITRE ATT&CK framework is a valuable resource that categorizes adversary tactics and techniques. Align your detections with this framework to ensure your defenses are robust against a wide range of attack methods.
In your journey as a cybersecurity professional, remember that SIEM detections and well-structured playbooks are your allies in the ongoing battle against cyber threats. Stay vigilant, adapt, and continue honing your skills to become a formidable defender of the digital realm.