SIEM Plan

System security

Wazuh

Configuration

Audit

CIS

FIM

OpenSCAP

Policy Monitoring

Windows Events

Active Directory

Events ID repository

+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Category       | Subcategory    | Type           | Event Log      | Event ID       | Describe       | Event ID for   |
|                |                |                |                |                |                | Windows 2003   |
+================+================+================+================+================+================+================+
| Account Logon  | Credential     | Success,       | Security       | 4776           | The domain     | 680, 681       |
|                | Validation     | Failure        |                |                | controller     |                |
|                |                |                |                |                | attempted to   |                |
|                |                |                |                |                | validate the   |                |
|                |                |                |                |                | credentials    |                |
|                |                |                |                |                | for an account |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Computer       | Success        | Security       | 4741           | A computer     | 645            |
| Management     | Account        |                |                |                | account was    |                |
|                | Management     |                |                |                | created        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Computer       | Success        | Security       | 4742           | A computer     | 646            |
| Management     | Account        |                |                |                | account was    |                |
|                | Management     |                |                |                | changed        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Computer       | Success        | Security       | 4743           | A computer     | 647            |
| Management     | Account        |                |                |                | account was    |                |
|                | Management     |                |                |                | deleted        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4744           | A security-    | 648            |
| Management     | Group          |                |                |                | disabled local |                |
|                | Management     |                |                |                | group was      |                |
|                |                |                |                |                | created        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4746           | A member was   | 650            |
| Management     | Group          |                |                |                | added to a     |                |
|                | Management     |                |                |                | security-      |                |
|                |                |                |                |                | disabled local |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4747           | A member was   | 651            |
| Management     | Group          |                |                |                | removed from a |                |
|                | Management     |                |                |                | security-      |                |
|                |                |                |                |                | disabled local |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4748           | A security-    | 652            |
| Management     | Group          |                |                |                | disabled local |                |
|                | Management     |                |                |                | group was      |                |
|                |                |                |                |                | deleted        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4749           | A security-    | 653            |
| Management     | Group          |                |                |                | disabled       |                |
|                | Management     |                |                |                | global group   |                |
|                |                |                |                |                | was created    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4751           | A member was   | 655            |
| Management     | Group          |                |                |                | added to a     |                |
|                | Management     |                |                |                | security-      |                |
|                |                |                |                |                | disabled       |                |
|                |                |                |                |                | global group   |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4752           | A member was   | 656            |
| Management     | Group          |                |                |                | removed from a |                |
|                | Management     |                |                |                | security-      |                |
|                |                |                |                |                | disabled       |                |
|                |                |                |                |                | global group   |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4753           | A security-    | 657            |
| Management     | Group          |                |                |                | disabled       |                |
|                | Management     |                |                |                | global group   |                |
|                |                |                |                |                | was deleted    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4759           | A security-    | 663            |
| Management     | Group          |                |                |                | disabled       |                |
|                | Management     |                |                |                | universal      |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | created        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4761           | A member was   | 655            |
| Management     | Group          |                |                |                | added to a     |                |
|                | Management     |                |                |                | security-      |                |
|                |                |                |                |                | disabled       |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Distribution   | Success        | Security       | 4762           | A member was   | 666            |
| Management     | Group          |                |                |                | removed from a |                |
|                | Management     |                |                |                | security-      |                |
|                |                |                |                |                | disabled       |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4727           | A security-    | 631            |
| Management     | Management     |                |                |                | enabled global |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | created        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4728           | A member was   | 632            |
| Management     | Management     |                |                |                | added to a     |                |
|                |                |                |                |                | security-      |                |
|                |                |                |                |                | enabled global |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4729           | A member was   | 633            |
| Management     | Management     |                |                |                | removed from a |                |
|                |                |                |                |                | security-      |                |
|                |                |                |                |                | enabled global |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4730           | A security-    | 634            |
| Management     | Management     |                |                |                | enabled global |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | deleted        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4731           | A security-    | 635            |
| Management     | Management     |                |                |                | enabled local  |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | created        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4732           | A member was   | 636            |
| Management     | Management     |                |                |                | added to a     |                |
|                |                |                |                |                | security-      |                |
|                |                |                |                |                | enabled local  |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4733           | A member was   | 637            |
| Management     | Management     |                |                |                | removed from a |                |
|                |                |                |                |                | security-      |                |
|                |                |                |                |                | enabled local  |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4734           | A security-    | 638            |
| Management     | Management     |                |                |                | enabled local  |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | deleted        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4754           | A security-    | 658            |
| Management     | Management     |                |                |                | enabled        |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | created        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4755           | A security-    | 659            |
| Management     | Management     |                |                |                | enabled        |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | changed        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4756           | A member was   | 660            |
| Management     | Management     |                |                |                | added to a     |                |
|                |                |                |                |                | security-      |                |
|                |                |                |                |                | enabled        |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4757           | A member was   | 661            |
| Management     | Management     |                |                |                | removed from a |                |
|                |                |                |                |                | security-      |                |
|                |                |                |                |                | enabled        |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group          |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4758           | A security-    | 662            |
| Management     | Management     |                |                |                | enabled        |                |
|                |                |                |                |                | universal      |                |
|                |                |                |                |                | group was      |                |
|                |                |                |                |                | deleted        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | Security Group | Success        | Security       | 4764           | A groups type  | 668            |
| Management     | Management     |                |                |                | was changed    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4720           | A user account | 624            |
| Management     | Management     |                |                |                | was created    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4722           | A user account | 626            |
| Management     | Management     |                |                |                | was enabled    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4723           | An attempt was | 627            |
| Management     | Management     |                |                |                | made to change |                |
|                |                |                |                |                | an account's   |                |
|                |                |                |                |                | password       |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4724           | An attempt was | 628            |
| Management     | Management     |                |                |                | made to reset  |                |
|                |                |                |                |                | an accounts    |                |
|                |                |                |                |                | password       |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4725           | A user account | 629            |
| Management     | Management     |                |                |                | was disabled   |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4726           | A user account | 630            |
| Management     | Management     |                |                |                | was deleted    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4738           | A user account | 642            |
| Management     | Management     |                |                |                | was changed    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4740           | A user account | 644            |
| Management     | Management     |                |                |                | was locked out |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4765           | SID History    |                |
| Management     | Management     |                |                |                | was added to   |                |
|                |                |                |                |                | an account     |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Failure        | Security       | 4766           | An attempt to  |                |
| Management     | Management     |                |                |                | add SID        |                |
|                |                |                |                |                | History to an  |                |
|                |                |                |                |                | account failed |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Account        | User Account   | Success        | Security       | 4781           | The name of an | 685            |
| Management     | Management     |                |                |                | account was    |                |
|                |                |                |                |                | changed        |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory      | Directory      | Success        | Security       | 5136           | A directory    | 566            |
| Service        | Service        |                |                |                | service object |                |
|                | Changes        |                |                |                | was modified   |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory      | Directory      | Success        | Security       | 5137           | A directory    | 566            |
| Service        | Service        |                |                |                | service object |                |
|                | Changes        |                |                |                | was created    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory      | Directory      | Success        | Security       | 5138           | A directory    |                |
| Service        | Service        |                |                |                | service object |                |
|                | Changes        |                |                |                | was undeleted  |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory      | Directory      | Success        | Security       | 5139           | A directory    |                |
| Service        | Service        |                |                |                | service object |                |
|                | Changes        |                |                |                | was moved      |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Directory      | Directory      | Failure        | Security       | 5141           | A directory    |                |
| Service        | Service        |                |                |                | service object |                |
|                | Changes        |                |                |                | was deleted    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Logon/Logoff   | Logon          | Success        | Security       | 4624           | An account was | 528 , 540      |
|                |                |                |                |                | successfully   |                |
|                |                |                |                |                | logged on      |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Logon/Logoff   | Logon          | Failure        | Security       | 4625           | An account     | 529 , 530 ,    |
|                |                |                |                |                | failed to log  | 531 , 532 ,    |
|                |                |                |                |                | on             | 533 , 534 ,    |
|                |                |                |                |                |                | 535 , 536 ,    |
|                |                |                |                |                |                | 537 , 539      |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  | Detailed File  | Success,       | Security       | 5145           | A network      |                |
|                | Share          | Failure        |                |                | share object   |                |
|                |                |                |                |                | was checked to |                |
|                |                |                |                |                | see whether    |                |
|                |                |                |                |                | client can be  |                |
|                |                |                |                |                | granted        |                |
|                |                |                |                |                | desired access |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  | File Share     | Success        | Security       | 5140           | A network      |                |
|                |                |                |                |                | share object   |                |
|                |                |                |                |                | was accessed   |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  | File Share     | Success        | Security       | 5142           | A network      |                |
|                |                |                |                |                | share object   |                |
|                |                |                |                |                | was added.     |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  | File System,   | Success        | Security       | 4663           | An attempt was | 567            |
|                | Registry,      |                |                |                | made to access |                |
|                | Kernel Object, |                |                |                | an object      |                |
|                | SAM, Other     |                |                |                |                |                |
|                | Object Access  |                |                |                |                |                |
|                | Events         |                |                |                |                |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  | File System,   | Success        | Security       | 4670           | Permissions on |                |
|                | Registry,      |                |                |                | an object were |                |
|                | Policy Change, |                |                |                | changed        |                |
|                | Authorization  |                |                |                |                |                |
|                | Policy Change  |                |                |                |                |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  | File System,   | Success,       | Security       | 4656           | A handle to an | 560            |
|                | Registry, SAM, | Failure        |                |                | object was     |                |
|                | Handle         |                |                |                | requested      |                |
|                | Manipulation,  |                |                |                |                |                |
|                | Other Object   |                |                |                |                |                |
|                | Access Events  |                |                |                |                |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| Object Access  |                | Success        | Security       | 561            | Handle         |                |
|                |                |                |                |                | Allocated      |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System         | Security State | Success        | Security       | 4608           | Windows is     | 512            |
|                | Change         |                |                |                | starting up    |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System         | Security State | Success        | Security       | 4616           | The system     | 520            |
|                | Change         |                |                |                | time was       |                |
|                |                |                |                |                | changed.       |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System         | Security       | Success        | Security       | 4610           | An             | 514            |
|                | System         |                |                |                | authentication |                |
|                | Extension      |                |                |                | package has    |                |
|                |                |                |                |                | been loaded by |                |
|                |                |                |                |                | the Local      |                |
|                |                |                |                |                | Security       |                |
|                |                |                |                |                | Authority      |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System         | System         | Success        | Security       | 4612           | Internal       | 516            |
|                | Integrity      |                |                |                | resources      |                |
|                |                |                |                |                | allocated for  |                |
|                |                |                |                |                | the queuing of |                |
|                |                |                |                |                | audit messages |                |
|                |                |                |                |                | have been      |                |
|                |                |                |                |                | exhausted,     |                |
|                |                |                |                |                | leading to the |                |
|                |                |                |                |                | loss of some   |                |
|                |                |                |                |                | audits         |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+
| System         | System         | Success        | Security       | 4615           | Invalid use of | 519            |
|                | Integrity      |                |                |                | LPC port       |                |
+----------------+----------------+----------------+----------------+----------------+----------------+----------------+

Linux

Syslog

IOC

Network Analytics Plan

Network probe

Configuration

Bad reputation

By source

By destination

Topology

Netflow analyzis

The Logstash collector receives and decodes Network Flows using the provided decoders. During decoding, IP address reputation analysis is performed and the result is added to the event document.

Installation

Install/update logstash codec plugins for netflox and sflow
/usr/share/logstash/bin/logstash-plugin install file:///etc/logstash/netflow/bin/logstash-codec-sflow-2.1.2.gem.zip
/usr/share/logstash/bin/logstash-plugin install file:///etc/logstash/netflow/bin/logstash-codec-netflow-4.2.1.gem.zip
/usr/share/logstash/bin/logstash-plugin install file:///etc/logstash/netflow/bin/logstash-input-udp-3.3.4.gem.zip
/usr/share/logstash/bin/logstash-plugin update logstash-input-tcp
/usr/share/logstash/bin/logstash-plugin update logstash-filter-translate
/usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
/usr/share/logstash/bin/logstash-plugin update logstash-filter-dns

Configuration

Enable Logstash pipeline
vim /etc/logstash/pipeline.yml

- pipeline.id: flows
  path.config: "/etc/logstash/conf.d/netflow/*.conf"
Elasticsearch template installation
curl -XPUT -H 'Content-Type: application/json' -u logserver:logserver 'http://127.0.0.1:9200/_template/netflow' -d@/etc/logstash/templates.d/netflow-template.json
Importing Kibana dashboards
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@overview.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@security.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@sources.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@history.json
curl -k -X POST -ulogserver:logserver "https://localhost:5601/api/kibana/dashboards/import" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@destinations.json
Enable bad reputation lists update
crontab -e
0 4 * * * /etc/logstash/lists/bin/badreputation_iplists.sh
Enable reverse dns lookup

To enbled revere DNS lookup set the USE_DNS:false to USE_DNS:true in 13-filter-dns-geoip.conf

Optionally set both dns servers ${DNS_SRV:8.8.8.8} to your local dns

Security rules

MS Windows SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Windows

Windows - Admin night logon

Alert on Windows login events when detected outside business hours

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:(4624 OR 1200) AND user.role:admin AND event.hour:(20 OR 21 OR 22 OR 23 0 OR 1 OR 2 OR 3)"

2

Windows

Windows - Admin task as user

Alert when admin task is initiated by regular user. Windows event id 4732 is verified towards static admin list. If the user does not belong to admin list AND the event is seen than we generate alert. Static Admin list is a logstash disctionary file that needs to be created manually. During Logstash lookup a field user.role:admin is added to an event. 4732: A member was added to a security-enabled local group

winlogbeat-*

winlogbeat Logstash admin dicstionary lookup file

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4732 AND NOT user.role:admin"

3

Windows

Windows - diff IPs logon

Alert when Windows logon process is detected and two or more different IP addressed are seen in source field. Timeframe is last 15min. Detection is based onevents 4624 or 1200. 4624: An account was successfully logged on 1200: Application token success

winlogbeat-*

winlogbeat

Widnows Security Eventlog

cardinality

max_cardinality: 1 timeframe: minutes: 15 filter: - query_string: query: "event_id:(4624 OR 1200) AND NOT _exists_:user.role AND NOT event_data.IpAddress:\"-\" " query_key: username

4

Windows

Windows - Event service error

Alert when Windows event 1108 is matched 1108: The event logging service encountered an error

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:1108"

5

Windows

Windows - file insufficient privileges

Alert when Windows event 5145 is matched 5145: A network share object was checked to see whether client can be granted desired access Every time a network share object (file or folder) is accessed, event 5145 is logged. If the access is denied at the file share level, it is audited as a failure event. Otherwise, it considered a success. This event is not generated for NTFS access.

winlogbeat-*

winlogbeat

Widnows Security Eventlog

frequency

query_key: "event_data.IpAddress" num_events: 50 timeframe: minutes: 15 filter: - query_string: query: "event_id:5145"

6

Windows

Windows - Kerberos pre-authentication failed

Alert when Windows event 4625 or 4771 is matched 4625: An account failed to log on 4771: Kerberos pre-authentication failed

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4625 OR event_id:4771"

7

Windows

Windows - Logs deleted

Alert when Windows event 1102 OR 104 is matched 1102: The audit log was cleared 104: Event log cleared

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: 'event_desc:"1102 The audit log was cleared"'

8

Windows

Windows - Member added to a security-enabled global group

Alert when Windows event 4728 is matched 4728: A member was added to a security-enabled global group

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4728"

9

Windows

Windows - Member added to a security-enabled local group

Alert when Windows event 4732 is matched 4732: A member was added to a security-enabled local group

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4732"

10

Windows

Windows - Member added to a security-enabled universal group

Alert when Windows event 4756 is matched 4756: A member was added to a security-enabled universal group

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4756"

11

Windows

Windows - New device

Alert when Windows event 6414 is matched 6416: A new external device was recognized by the system

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:6416"

12

Windows

Windows - Package installation

Alert when Windows event 4697 is matched 4697: A service was installed in the system

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4697"

13

Windows

Windows - Password policy change

Alert when Windows event 4739 is matched 4739: Domain Policy was changed

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4739"

14

Windows

Windows - Security log full

Alert when Windows event 1104 is matched 1104: The security Log is now full

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:1104"

15

Windows

Windows - Start up

Alert when Windows event 4608 is matched 4608: Windows is starting up

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4608"

16

Windows

Windows - Account lock

Alert when Windows event 4740 is matched 4740: A User account was Locked out

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4740"

17

Windows

Windows - Security local group was changed

Alert when Windows event 4735 is matched 4735: A security-enabled local group was changed

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4735"

18

Windows

Windows - Reset password attempt

Alert when Windows event 4724 is matched 4724: An attempt was made to reset an accounts password

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4724"

19

Windows

Windows - Code integrity changed

Alert when Windows event 5038 is matched 5038: Detected an invalid image hash of a file Information: Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. The event logs the following information:

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:5038"

20

Windows

Windows - Application error

Alert when Windows event 1000 is matched 1000: Application error

winlogbeat-*

winlogbeat

Widnows Application Eventlog

any

filter: - query_string: query: "event_id:1000"

21

Windows

Windows - Application hang

Alert when Windows event 1001 OR 1002 is matched 1001: Application fault bucket 1002: Application hang

winlogbeat-*

winlogbeat

Widnows Application Eventlog

any

filter: - query_string: query: "event_id:1002 OR event_id:1001"

22

Windows

Windows - Audit policy changed

Alert when Windows event 4719 is matched 4719: System audit policy was changed

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:4719"

23

Windows

Windows - Eventlog service stopped

Alert when Windows event 6005 is matched 6005: Eventlog service stopped

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:6005"

24

Windows

Windows - New service installed

Alert when Windows event 7045 OR 4697 is matched 7045,4697: A service was installed in the system

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:7045 OR event_id:4697"

25

Windows

Windows - Driver loaded

Alert when Windows event 6 is matched 6: Driver loaded The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

winlogbeat-*

winlogbeat

Widnows System Eventlog

any

filter: - query_string: query: "event_id:6"

26

Windows

Windows - Firewall rule modified

Alert when Windows event 2005 is matched 2005: A Rule has been modified in the Windows firewall Exception List

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: 'event_desc:"4947 A change has been made to Windows Firewall exception list. A rule was modified"'

27

Windows

Windows - Firewall rule add

Alert when Windows event 2004 is matched 2004: A firewall rule has been added

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:2004"

28

Windows

Windows - Firewall rule deleted

Alert when Windows event 2006 or 2033 or 2009 is matched 2006,2033,2009: Firewall rule deleted

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: "event_id:2006 OR event_id:2033 OR event_id:2009"

29

Windows

Windows - System has been shutdown

This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down.

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: 'event_id:"1074"'

30

Windows

Windows - The system time was changed

The system time has been changed. The event describes the old and new time.

winlogbeat-*

winlogbeat

Widnows Security Eventlog

any

filter: - query_string: query: 'event_id:"4616"'

Network Switch SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Switch

Switch - Blocked by LACP

ports: port <nr> is Blocked by LACP

syslog-*

syslog

any

filter: - query_string: query: “message:"Blocked by LACP"”

2

Switch

Switch - Blocked by STP

ports: port <nr> is Blocked by STP

syslog-*

syslog

any

filter: - query_string: query: “message:"Blocked by STP"”

3

Switch

Switch - Port state changed

Port state changed to down or up

syslog-*

syslog

any

filter: - query_string: query: “message:"changed state to"”

4

Switch

Switch - Configured from console

Configurations changes from console

syslog-*

syslog

any

filter: - query_string: query: “message:"Configured from console"”

5

Switch

Switch - High collision or drop rate

syslog-*

syslog

any

filter: - query_string: query: “message:"High collision or drop rate"”

6

Switch

Switch - Invalid login

auth: Invalid user name/password on SSH session

syslog-*

syslog

any

filter: - query_string: query: “message:"auth: Invalid user name/password on SSH session"”

7

Switch

Switch - Logged to switch

syslog-*

syslog

any

filter: - query_string: query: “message:" mgr: SME SSH from"”

8

Switch

Switch - Port is offline

ports: port <nr> is now off-line

syslog-*

syslog

any

filter: - query_string: query: “message:" is now off-line"”

9

Switch

Switch - Port is online

ports: port <nr> is now on-line

syslog-*

syslog

any

filter: - query_string: query: “message:" is now on-line"”

Cisco ASA devices SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Cisco ASA

Cisco ASA - Device interface administratively up

Device interface administratively up

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: ‘cisco.id:”%ASA-4-411003”’

2

Cisco ASA

Cisco ASA - Device configuration has been changed or reloaded

Device configuration has been changed or reloaded

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: ‘cisco.id:(“%ASA-5-111007” OR “%ASA-5-111008”)’

3

Cisco ASA

Cisco ASA - Device interface administratively down

Device interface administratively down

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: ‘cisco.id:”%ASA-4-411004”’

4

Cisco ASA

Cisco ASA - Device line protocol on Interface changed state to down

Device line protocol on Interface changed state to down

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: ‘cisco.id:”%ASA-4-411002”’

5

Cisco ASA

Cisco ASA - Device line protocol on Interface changed state to up

Device line protocol on Interface changed state to up

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: ‘cisco.id:”%ASA-4-411001”’

6

Cisco ASA

Cisco ASA - Device user executed shutdown

Device user executed shutdown

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: ‘cisco.id:”%ASA-5-111010”’

7

Cisco ASA

Cisco ASA - Multiple VPN authentication failed

Multiple VPN authentication failed

syslog-*

syslog from Cisco ASA devices

frequency

query_key: “src.ip” num_events: 10 timeframe: minutes: 240 filter: - query_string: query: “cisco.id:"%ASA-6-113005"”

8

Cisco ASA

Cisco ASA - VPN authentication failed

VPN authentication failed

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: “cisco.id:"%ASA-6-113005"”

9

Cisco ASA

Cisco ASA - VPN authentication successful

VPN authentication successful

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: “cisco.id:"%ASA-6-113004"”

10

Cisco ASA

Cisco ASA - VPN user locked out

VPN user locked out

syslog-*

syslog from Cisco ASA devices

any

filter: - query_string: query: “cisco.id:"%ASA-6-113006"”

Linux Mail SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Mail Linux

Mail - Flood Connect from

Connection flood, possible DDOS attack

syslog-*

syslog

frequency

filter: - query_string: query: “message:"connect from"” query_key: host timeframe: hours: 1 num_events: 50

2

Mail Linux

Mail - SASL LOGIN authentication failed

User authentication failure

syslog-*

syslog

frequency

filter: - query_string: query: “message:"SASL LOGIN authentication failed: authentication failure"” query_key: host timeframe: hours: 1 num_events: 30

3

Mail Linux

Mail - Sender rejected

Sender rejected

syslog-*

syslog

frequency

filter: - query_string: query: “message:"NOQUEUE: reject: RCPT from"” query_key: host timeframe: hours: 1 num_events: 20

Linux DNS Bind SIEM Rules

1 DNS DNS - Anomaly in geographic region DNS anomaly detection in geographic region filebeat-* filebeat spike query_key: geoip.country_code2 threshold_ref: 500 spike_height: 3 spike_type: “up” timeframe: minutes: 10 filter: - query_string: query: “NOT geoip.country_code2:(US OR PL OR NL OR IE OR DE OR FR OR GB OR SK OR AT OR CZ OR NO OR AU OR DK OR FI OR ES OR LT OR BE OR CH) AND _exists_:geoip.country_code2 AND NOT domain:(*.outlook.com OR *.pool.ntp.org)”

2

DNS

DNS - Domain requests

Domain requests

filebeat-*

filebeat

frequency

query_key: “domain” num_events: 1000 timeframe: minutes: 5 filter: - query_string: query: “NOT domain:(/.*localdomain/) AND _exists_:domain”

3

DNS

DNS - Domain requests by source IP

Domain requests by source IP

filebeat-*

filebeat

cadrinality

query_key: “src_ip” cardinality_field: “domain” max_cardinality: 3000 timeframe: minutes: 10 filter: - query_string: query: “(NOT domain:(/.*.arpa/ OR /.*localdomain/ OR /.*office365.com/) AND _exists_:domain”

4

DNS

DNS - Resolved domain matches IOC IP blacklist

Resolved domain matches IOC IP blacklist

filebeat-*

filebeat

blacklist-ioc

compare_key: “domain_ip” blacklist-ioc: - “!yaml /etc/logstash/lists/misp_ip.yml”

Fortigate Devices SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

FortiOS 6.x

Fortigate virus

fortigate*

FortiOS with Antivirus, IPS, Fortisandbox modules, Logstash KV filter, default-base-template

syslog from Forti devices

Any

filter: - query_string: query: “subtype:virus and action:blocked”

2

FortiOS 6.x

Fortigate http server attack by destination IP

fortigate*

FortiOS with waf, IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “dst_ip” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “level:alert and subtype:ips and action:dropped and profile:protect_http_server”

3

FortiOS 6.x

Fortigate forward deny by source IP

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “src_ip” num_events: 250 timeframe: hours: 1 filter: - query_string: query: “subtype:forward AND action:deny”

4

FortiOS 6.x

Fortigate failed login

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

Any

filter: - query_string: query: “action:login and status:failed”

5

FortiOS 6.x

Fortigate failed login same source

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “action:login and status:failed”

6

FortiOS 6.x

Fortigate device configuration changed

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”"Configuration is changed in the admin session"”

7

FortiOS 6.x

Fortigate unknown tunneling setting

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”"http_decoder: HTTP.Unknown.Tunnelling"”

8

FortiOS 6.x

Fortigate multiple tunneling same source

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “"http_decoder: HTTP.Unknown.Tunnelling"”

9

FortiOS 6.x

Fortigate firewall configuration changed

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”action:Edit”

10

FortiOS 6.x

Fortigate SSL VPN login fail

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”ssl-login-fail”

11

FortiOS 6.x

Fortigate Multiple SSL VPN login failed same source

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “ssl-login-fail”

12

FortiOS 6.x

Fortigate suspicious traffic

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”type:traffic AND status:high”

13

FortiOS 6.x

Fortigate suspicious traffic same source

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “type:traffic AND status:high”

14

FortiOS 6.x

Fortigate URL blocked

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”action:blocked AND status:warning”

15

FortiOS 6.x

Fortigate multiple URL blocked same source

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

frequency

query_key: “src_ip” num_events: 18 timeframe: minutes: 45 filter: - query_string: query: “action:blocked AND status:warning”

16

FortiOS 6.x

Fortigate attack detected

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”attack AND action:detected”

17

FortiOS 6.x

Fortigate attack dropped

fortigate*

FortiOS with IPS, modules, Logstash KV filter, default-base-template

syslog from Forti devices

any

filter: - query_string: query:”attack AND action:dropped”

Linux Apache SIEM rules

Table caption
Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Apache

HTTP 1xx peak

Response status 1xx

httpd*

Apache logs

spike

threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:1*” - type: value: “_doc”

2

Apache

HTTP 2xx responses for unwanted URLs

Requests for URLS like: - /phpMyAdmin, /wpadmin, /wp-login.php, /.env, /admin, /owa/auth/logon.aspx, /api, /license.txt, /api/v1/pods, /solr/admin/info/system, /backup/, /admin/config.php, /dana-na, /dbadmin/, /myadmin/, /mysql/, /php-my-admin/, /sqlmanager/, /mysqlmanager/, config.php

httpd*

Apache logs

blacklist

compare_key: http.request ignore_null: true blacklist: - /phpMyAdmin - /wpadmin - /wp-login.php - /.env - /admin - /owa/auth/logon.aspx - /api - /license.txt - /api/v1/pods - /solr/admin/info/system - /backup/ - /admin/config.php - /dana-na - /dbadmin/ - /myadmin/ - /mysql/ - /php-my-admin/ - /sqlmanager/ - /mysqlmanager/ - config.php

3

Apache

HTTP 2xx spike

httpd*

Apache logs

spike

threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:2*” - type: value: “_doc”

4

Apache

HTTP 3x spike

Response status 3xx

httpd*

Apache logs

any

threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:3*” - type: value: “_doc”

5

Apache

HTTP 4xx spike

Response status 4xx

httpd*

Apache logs

spike

threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:4*” - type: value: “_doc”

6

Apache

HTTP 5xx spike

Response status 5xx

httpd*

Apache logs

spike

threshold_cur: 100 timeframe: hours: 2 spike_height: 5 spike_type: “up” filter: - query: query_string: query: “response.status.code:5*” - type: value: “_doc”

RedHat / CentOS system SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Linux

Linux - Group Change

syslog-*

Syslog

any

filter: - query_string: query: “message:"added by root to group"”

2

Linux

Linux - Group Created

syslog-*

Syslog

any

filter: - query_string: query: “message:"new group: "”

3

Linux

Linux - Group Removed

syslog-*

Syslog

any

filter: - query_string: query: “message:"removed group: " OR message:"removed shadow group: "”

4

Linux

Linux - Interrupted Login

syslog-*

Syslog

any

filter: - query_string: query: “message:"Connection closed by"”

5

Linux

Linux -Login Failure

syslog-*

Syslog

any

filter: - query_string: query: “message:"Failed password for"”

6

Linux

Linux - Login Success

syslog-*

Syslog

any

filter: - query_string: query: “message:"Accepted password for"”

7

Linux

Linux - Out of Memory

syslog-*

Syslog

any

filter: - query_string: query: “message:"killed process"”

8

Linux

Linux - Password Change

syslog-*

Syslog

any

filter: - query_string: query: “message:"password changed"”

9

Linux

Linux - Process Segfaults

syslog-*

Syslog

any

filter: - query_string: query: “message:segfault”

10

Linux

Linux - Process Traps

syslog-*

Syslog

any

filter: - query_string: query: “message:traps”

11

Linux

Linux - Service Started

syslog-*

Syslog

any

filter: - query_string: query: “message:Started”

12

Linux

Linux - Service Stopped

syslog-*

Syslog

any

filter: - query_string: query: “message:Stopped”

13

Linux

Linux - Software Erased

syslog-*

Syslog

any

filter: - query_string: query: “message:"Erased: "”

14

Linux

Linux - Software Installed

syslog-*

Syslog

any

filter: - query_string: query: “message:"Installed: "”

15

Linux

Linux - Software Updated

syslog-*

Syslog

any

filter: - query_string: query: “message:"Updated: "”

16

Linux

Linux - User Created

syslog-*

Syslog

any

filter: - query_string: query: “message:"new user: "”

17

Linux

Linux - User Removed

syslog-*

Syslog

any

filter: - query_string: query: “message:"delete user"”

Checkpoint devices SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

VPN-1 & FireWall-1

Checkpoint - Drop a packet by source IP

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Frequency

query_key: “src” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:drop” use_count_query: true doc_type: doc

2

VPN-1 & FireWall-1

Checkpoint - Reject by source IP

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Frequency

query_key: “src” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:reject” use_count_query: true doc_type: doc

3

VPN-1 & FireWall-1

Checkpoint - User login

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

query_key: “user” filter: - query_string: query: “auth_status:"Successful Login"” use_count_query: true doc_type: doc

4

VPN-1 & FireWall-1

Checkpoint - Failed Login

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

query_key: “user” filter: - query_string: query: “auth_status:"Failed Login"” use_count_query: true doc_type: doc

5

VPN-1 & FireWall-1

Checkpoint - Application Block by user

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Frequency

query_key: “user” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:block AND product:"Application Control"” use_count_query: true doc_type: doc

6

VPN-1 & FireWall-1

Checkpoint - URL Block by user

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Frequency

query_key: “user” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:block AND product:"URL Filtering"” use_count_query: true doc_type: doc

7

VPN-1 & FireWall-1

Checkpoint - Block action with user

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

query_key: “user” filter: - query_string: query: “action:block” use_count_query: true doc_type: doc

8

VPN-1 & FireWall-1

Checkpoint - Encryption keys were created

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

filter: - query_string: query: “action:keyinst” use_count_query: true doc_type: doc

9

VPN-1 & FireWall-1

Checkpoint - Connection was detected by Interspect

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

filter: - query_string: query: “action:detect” use_count_query: true doc_type: doc

10

VPN-1 & FireWall-1

Checkpoint - Connection was subject to a configured protections

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

filter: - query_string: query: “action:inspect” use_count_query: true doc_type: doc

11

VPN-1 & FireWall-1

Checkpoint - Connection with source IP was quarantined

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

query_key: “src” filter: - query_string: query: “action:quarantine” use_count_query: true doc_type: doc

12

VPN-1 & FireWall-1

Checkpoint - Malicious code in the connection with source IP was replaced

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

query_key: “src” filter: - query_string: query: “action:"Replace Malicious code"” use_count_query: true doc_type: doc

13

VPN-1 & FireWall-1

Checkpoint - Connection with source IP was routed through the gateway acting as a central hub

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Any

query_key: “src” filter: - query_string: query: “action:"VPN routing"” use_count_query: true doc_type: doc

14

VPN-1 & FireWall-1

Checkpoint - Security event with user was monitored

checkpoint*

Checkpoint devices, fw1-grabber ( https://github.com/certego/fw1-loggrabber )

Checkpoint firewall, OPSEC Log Export APIs (LEA)

Frequency

query_key: “user” num_events: 10 timeframe: hours: 1 filter: - query_string: query: “action:Monitored” use_count_query: true doc_type: doc

Cisco ESA devices SIEM rule

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Cisco ESA

ESA - Attachments exceeded the URL scan

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”attachments exceeded the URL scan”’

2

Cisco ESA

ESA - Extraction Failure

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”Extraction Failure”’

3

Cisco ESA

ESA - Failed to expand URL

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”Failed to expand URL”’

4

Cisco ESA

ESA - Invalid host configured

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”Invalid host configured”’

5

Cisco ESA

ESA - Marked unscannable due to RFC Violation

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”was marked unscannable due to RFC Violation”’

6

Cisco ESA

ESA - Message was not scanned for Sender Domain Reputation

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”Message was not scanned for Sender Domain Reputation”’

7

Cisco ESA

ESA - URL Reputation Rule

syslog-*

Cisco ESA

any

filter: - query_string: query: ‘message:”URL Reputation Rule”’

Forcepoint devices SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Forcepoint HIGH

All high alerts

syslog-dlp*

any

alert_text_type: alert_text_only alert_text: “Forcepoint HIGH alert\n\n When: {}\n Analyzed by: {}\n User name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - user - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Severity:HIGH”

2

Forcepoint MEDIUM

All medium alerts

syslog-dlp*

any

alert_text_type: alert_text_only alert_text: “Forcepoint MEDIUM alert\n\n When: {}\n Analyzed by: {}\n User name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - user - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Severity:MEDIUM”

3

Forcepoint LOW

All low alerts

syslog-dlp*

any

alert_text_type: alert_text_only alert_text: “Forcepoint LOW alert\n\n When: {}\n Analyzed by: {}\n User name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - user - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Severity:LOW”

4

Forcepoint blocked email

Email was blocked by forcepoint

syslog-dlp*

any

alert_text_type: alert_text_only alert_text: “Email blocked\n\n When: {}\n Analyzed by: {}\n File name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - File_Name - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Action:Blocked and Channel:Endpoint Email”

5

Forcepoint removables

Forcepoint blocked data transfer to removeable device

syslog-dlp*

any

alert_text_type: alert_text_only alert_text: “Data transfer to removable device blocked\n\n When: {}\n Analyzed by: {}\n File name: {}\n Source: {}\nDestination: {}\n\n{}\n” alert_text_args: - timestamp_timezone - Analyzed_by - File_Name - Source - Destination - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “Action:Blocked and Channel:Endpoint Removable Media”

Oracle Database Engine SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Oracle DB

Oracle - Allocate memory ORA-00090

Failed to allocate memory for cluster database

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00090”

2

Oracle DB

Oracle logon denied ORA-12317

logon to database (link name string)

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-12317”

3

Oracle DB

Oracle credential failed ORA-12638

Credential retrieval failed

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12638”

4

Oracle DB

Oracle client internal error ORA-12643

Client received internal error from server

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12643”

5

Oracle DB

ORA-00018: maximum number of sessions exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00018”

6

Oracle DB

ORA-00019: maximum number of session licenses exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00019”

7

Oracle DB

ORA-00020: maximum number of processes (string) exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00020”

8

Oracle DB

ORA-00024: logins from more than one process not allowed in single-process mode

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00024”

9

Oracle DB

ORA-00025: failed to allocate string ( out of memory )

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00025”

10

Oracle DB

ORA-00055: maximum number of DML locks exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00055”

11

Oracle DB

ORA-00057: maximum number of temporary table locks exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00057”

12

Oracle DB

ORA-00059: maximum number of DB_FILES exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00059”

13

Oracle DB

Oracle - Deadlocks ORA - 0060

Deadlock detected while waiting for resource

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00060”

14

Oracle DB

ORA-00063: maximum number of log files exceeded

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00063”

15

Oracle DB

ORA-00064: object is too large to allocate on this O/S

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 filter: - term: oracle.code: “ora-00064”

16

Oracle DB

ORA-12670: Incorrect role password

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12670”

17

Oracle DB

ORA-12672: Database logon failure

oracle-*

Filebeat

Oracle Alert Log

any

timeframe: minutes: 15 num_events: 10 filter: - term: oracle.code: “ora-12672”

Paloalto devices SIEM rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Paloalto - Configuration changes failed

Config changes Failed

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: CONFIG - term: result: Failed

2

Paloalto - Flood detected

Flood detected via a Zone Protection profile

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: flood

3

Paloalto - Scan detected

Scan detected via a Zone Protection profile

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: scan

4

Paloalto - Spyware detected

Spyware detected via an Anti-Spyware profile

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: spyware

5

Paloalto - Unauthorized configuration changed

Attepmted Unauthorized configuration changes

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: CONFIG - term: result: Unathorized

6

Paloalto - Virus detected

Virus detected via an Antivirus profile.

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - terms: pan.subtype: [ “virus”, “wildfire-virus” ]

7

Paloalto - Vulnerability exploit detected

Vulnerability exploit detected via a Vulnerability Protection profile

paloalto-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - term: pan.type: THREAT - term: pan.subtype: vulnerability

Microsoft Exchange SIEM rules

Table caption
Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

MS Exchange

Exchange - Increased amount of incoming emails

exchange-*

spike

metric_agg_key: “exchange.network-message-id” metric_agg_type: “cardinality” doc_type: “_doc” max_threshold: 10 buffer_time: minutes: 1 filter: - query_string: query: “exchange.sender-address:*.company.com AND exchange.event-id:SEND AND exchange.message-subject:*” query_key: [“exchange.message-subject-agg”, “exchange.sender-address”]

2

MS Exchange

Exchange - Internal sender sent email to public provider

exchange-*

whitelist

metric_agg_key: “exchange.network-message-id” metric_agg_type: “cardinality” doc_type: “_doc” max_threshold: 10 buffer_time: minutes: 1 filter: - query_string: query: “NOT exchange.sender-address:(*@company.com) AND exchange.event-id:SEND AND exchange.message-subject:* AND NOT exchange.recipient-address:public@company.com” query_key: [“exchange.message-subject-agg”, “exchange.sender-address”]

3

MS Exchange

Exchange - Internal sender sent ethe same title to many recipients

exchange-*

metric_aggregation

filter: - query_string: query: “NOT exchange.recipient-address:public@company.com AND NOT exchange.sender-address:(*@company.com) AND exchange.event-id:SEND AND exchange.data.atch:[1 TO *] AND _exists_:exchange AND exchange.message-subject:(/.*invoice.*/ OR /.*payment.*/ OR /.*faktur.*/)” query_key: [“exchange.sender-address”]

4

MS Exchange

Exchange - Received email with banned title

exchange-*

any

threshold_ref: 5 timeframe: days: 1 spike_height: 3 spike_type: “up” alert_on_new_data: false use_count_query: true doc_type: _doc query_key: [“exchange.sender-address”] filter: - query_string: query: “NOT exchange.event-id:(DEFER OR RECEIVE OR AGENTINFO) AND _exists_:exchange”

5

MS Exchange

Exchange - The same title to many recipients

exchange-*

metric_aggregation

compare_key: “exchange.sender-address” ignore_null: true filter: - query_string: query: “NOT exchange.recipient-address:(*@company.com) AND _exists_:exchange.recipient-address AND exchange.event-id:AGENTINFO AND NOT exchange.sender-address:(bok@* OR postmaster@*) AND exchange.data.atch:[1 TO *] AND exchange.recipient-count:1 AND exchange.recipient-address:(*@gmail.com OR *@wp.pl OR *@o2.pl OR *@interia.pl OR *@op.pl OR *@onet.pl OR *@vp.pl OR *@tlen.pl OR *@onet.eu OR *@poczta.fm OR *@interia.eu OR *@hotmail.com OR *@gazeta.pl OR *@yahoo.com OR *@icloud.com OR *@outlook.com OR *@autograf.pl OR *@neostrada.pl OR *@vialex.pl OR *@go2.pl OR *@buziaczek.pl OR *@yahoo.pl OR *@post.pl OR *@wp.eu OR *@me.com OR *@yahoo.co.uk OR *@onet.com.pl OR *@tt.com.pl OR *@spoko.pl OR *@amorki.pl OR *@7dots.pl OR *@googlemail.com OR *@gmx.de OR *@upcpoczta.pl OR *@live.com OR *@piatka.pl OR *@opoczta.pl OR *@web.de OR *@protonmail.com OR *@poczta.pl OR *@hot.pl OR *@mail.ru OR *@yahoo.de OR *@gmail.pl OR *@02.pl OR *@int.pl OR *@adres.pl OR *@10g.pl OR *@ymail.com OR *@data.pl OR *@aol.com OR *@gmial.com OR *@hotmail.co.uk)” whitelist: - allowed@example.com - allowed@example2.com

Juniper Devices SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Junos-IDS

Juniper - IDS attact detection

junos*

JunOS devices with IDS module

Syslog from Juniper devices

Any

filter: - query_string: query: “_exists_:attack-name” include: - attack-name

2

Junos-IDS

Junos - RT flow session deny

junos*

JunOS devices SRX, RT Fflow

Syslog from Juniper devices

Any

filter: - query_string: query: “category:RT_FLOW AND subcat:RT_FLOW_SESSION_DENY” include: - srcip - dstip

3

Junos-IDS

Junos - RT flow reassemble fail

junos*

JunOS devices SRX, RT Fflow

Syslog from Juniper devices

Any

filter: - query_string: query: “category:RT_FLOW AND subcat:FLOW_REASSEMBLE_FAIL” include: - srcip - dstip

4

Junos-IDS

Junos - RT flow mcast rpf fail

junos*

JunOS devices SRX, RT Fflow

Syslog from Juniper devices

Any

filter: - query_string: query: “category:RT_FLOW AND subcat:FLOW_MCAST_RPF_FAIL” include: - srcip - dstip

Fudo SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Fudo - General Error

fudo*

http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html

Syslog FUDO

Any

filter: - query_string: query: “syslog_serverity:error” include: - fudo_message

2

Fudo - Failed to authenticate using password

fudo*

http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html

Syslog FUDO

Any

filter: - query_string: query: “fudo_code:FSE0634” include: - fudo_user

3

Fudo - Unable to establish connection

fudo*

http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html

Syslog FUDO

Any

filter: - query_string: query: “fudo_code:FSE0378” include: - fudo_connection - fudo_login

4

Fudo - Authentication timeout

fudo*

http://download.wheelsystems.com/documentation/fudo/4_0/online_help/en/reference/en/log_messages.html

Syslog FUDO

Any

filter: - query_string: query: “fudo_code:FUE0081”

Squid SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Squid

Squid - Configuration file changed

Modyfing squid.conf file

syslog-*

Audit module

syslog

any

filter: - query_string: query: ‘message:”File /etc/squid/squid.conf checksum changed.”’

2

Squid

Squid - Cannot open HTTP port

Cannot open HTTP Port

squid-*

squid

any

filter: - query_string: query: ‘message:”Cannot open HTTP Port”’

3

Squid

Squid - Unauthorized connection

Unauthorized connection, blocked website entry

squid-*

squid

any

filter: - query_string: query: ‘squid_request_status:”TCP_DENIED/403”’

4

Squid

Squid - Proxy server stopped

Service stopped

syslog-*

syslog

any

filter: - query_string: query: ‘message:”Stopped Squid caching proxy.”’

5

Squid

Squid - Proxy server started

Service started

syslog-*

syslog

any

filter: - query_string: query: ‘message:”Started Squid caching proxy.”’

6

Squid

Squid - Invalid request

Invalid request

squid-*

squid

any

filter: - query_string: query: ‘squid_request_status:”error:invalid-request”’

McAfee SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Squid

Squid - Configuration file changed

Modyfing squid.conf file

syslog-*

Audit module

syslog

any

filter: - query_string: query: ‘message:”File /etc/squid/squid.conf checksum changed.”’

2

Squid

Squid - Cannot open HTTP port

Cannot open HTTP Port

squid-*

squid

any

filter: - query_string: query: ‘message:”Cannot open HTTP Port”’

3

Squid

Squid - Unauthorized connection

Unauthorized connection, blocked website entry

squid-*

squid

any

filter: - query_string: query: ‘squid_request_status:”TCP_DENIED/403”’

4

Squid

Squid - Proxy server stopped

Service stopped

syslog-*

syslog

any

filter: - query_string: query: ‘message:”Stopped Squid caching proxy.”’

5

Squid

Squid - Proxy server started

Service started

syslog-*

syslog

any

filter: - query_string: query: ‘message:”Started Squid caching proxy.”’

6

Squid

Squid - Invalid request

Invalid request

squid-*

squid

any

filter: - query_string: query: ‘squid_request_status:”error:invalid-request”’

Microsoft DNS Server SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1.

WINDOWS DNS

WIN DNS - Format Error

Format error; DNS server did not understand the update request

prod-win-dns-*

any

timeframe: minutes: 15 filter: - term: dns.result: SERVFAIL

2.

WINDOWS DNS

WIN DNS - DNS server internal error

DNS server encountered an internal error, such as a forwarding timeout

prod-win-dns-*

any

timeframe: - minutes: 15 filter: - term: dns.result: FORMERR

3.

WINDOWS DNS

WIN DNS - DNS refuses to perform the update

DNS server refuses to perform the update

prod-win-dns-*

any

“timeframe: - minutes: 15 filter: - term: dns.result: REFUSED

4.

WINDOWS DNS

WIN DNS - DNS Zone Deleted

DNS Zone delete

prod-win-dns-*

any

timeframe: minutes: 15 filter: - term: event.id: 513

5.

WINDOWS DNS

WIN DNS - DNS Record Deleted

DNS Record Delete

prod-win-dns-*

any

timeframe: minutes: 15 filter: - term: event.id: 516

6.

WINDOWS DNS

WIN DNS - DNS Node Deleted

DNS Node Delete

prod-win-dns-*

any

timeframe: minutes: 15 filter: - term: event.id: 518

7.

WINDOWS DNS

WIN DNS - DNS Remove Trust Point

DNS Remove trust point

prod-win-dns-*

any

timeframe: minutes: 15 filter: - term: event.id: 546

8.

WINDOWS DNS

WIN DNS - DNS Restart Server

Restart Server

prod-win-dns-*

any

timeframe: minutes: 15 filter: - term: event.id: 548

9.

WINDOWS DNS

WIN DNS - DNS Response failure

Response Failure

prod-win-dns-*

frequency

timeframe: minutes: 5 num_events: 20 filter: - term: event.id: 258

10.

WINDOWS DNS

WIN DNS - DNS Ignored Query

Ignored Query

prod-win-dns-*

frequency

timeframe: minutes: 5 num_events: 20 filter: - term: event.id: 259

11.

WINDOWS DNS

WIN DNS - DNS Recursive query timeout

Recursive query timeout

prod-win-dns-*

frequency

timeframe: minutes: 5 num_events: 20 filter: - term: event.id: 262

Microsoft DHCP SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Windows DHCP

MS DHCP low disk space

The log was temporarily paused due to low disk space.

prod-win-dhcp-*

any

timeframe: minutes: 15 filter: - term: dhcp.event.id: 02

2

Windows DHCP

MS DHCP lease denied

A lease was denied

prod-win-dhcp-*

frequency

timeframe: minutes: 15 num_events: 10 filter: - terms: dhcp.event.id: [ “15”, “16” ] include: - dhcp.event.id - src.ip - src.mac - dhcp.event.descr summary_table_field: - src.ip - src.mac - dhcp.event.descr

3

Windows DHCP

MS DHCP update denied

DNS update failed

prod-win-dhcp-*

frequency

timeframe: minutes: 15 num_events: 50 filter: - term: dhcp.event.id: 31

4

Windows DHCP

MS DHCP Data Corruption

Detecting DHCP Jet Data Corruption

prod-win-dhcp-*

any

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1014

5

Windows DHCP

MS DHCP service shutting down

The DHCP service is shutting down due to the following error

prod-win-dhcp-*

any

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1008

6

Windows DHCP

MS DHCP Service Failed to restore database

The DHCP service failed to restore the database

prod-win-dhcp-*

any

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1018

7

Windows DHCP

MS DHCP Service Failed to restore registry

The DHCP service failed to restore the DHCP registry configuration

prod-win-dhcp-*

any

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1019

8

Windows DHCP

MS DHCP Can not find domain

The DHCP/BINL service on the local machine encountered an error while trying to find the domain of the local machine

prod-win-dhcp-*

frequency

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1049

9

Windows DHCP

MS DHCP Network Failure

The DHCP/BINL service on the local machine encountered a network error

prod-win-dhcp-*

frequency

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1050

10

Windows DHCP

MS DHCP - There are no IP addresses available for lease

There are no IP addresses available for lease in the scope or superscope

prod-win-dhcp-*

any

timeframe: minutes: 15 filter: - term: dhcp.event.id: 1063

Linux DHCP Server SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

DHCP Linux

DHCP Linux - Too many requests

Too many DHCP requests

syslog-*

Linux DHCP Server / Syslog

frequency

query_key: “src_mac” num_events: 30 timeframe: minutes: 1 filter: - query_string: query: “DHCPREQUEST” use_count_query: true doc_type: doc

2

DHCP Linux

DHCP Linux - IP already assigned

IP is already assigned to another client

syslog-*

Linux DHCP Server / Syslog

any

filter: - query_string: query: “DHCPNAK”

3

DHCP Linux

DHCP Linux - Discover flood

DHCP Discover flood

syslog-*

Linux DHCP Server / Syslog

frequency

query_key: “src_mac” num_events: 30 timeframe: minutes: 1 filter: - query_string: query: “DHCPDISCOVER” use_count_query: true doc_type: doc

Cisco VPN devices SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Cisco IOS - Cisco VPN Concentrator

CiscoVPN - VPN authentication failed

Jan 8 09:10:37 vpn.example.com 11504 01/08/2007 09:10:37.780 SEV=3 AUTH/5 RPT=124 192.168.0.1 Authentication rejected: Reason = Unspecified handle = 805, server = auth.example.com, user = testuser, domain = <not specified>

cisco*

any

filter: - query_string: query: “cisco.id:("AUTH\/5" OR "AUTH\/9" OR "IKE\/167" OR "PPP\/9" OR "SSH\/33" OR "PSH\/23")”

2

Cisco IOS - Cisco VPN Concentrator

CiscoVPN - VPN authentication successful

jw.

cisco*

any

filter: - query_string: query: “cisco.id:("IKE\/52")”

3

Cisco IOS - Cisco VPN Concentrator

CiscoVPN - VPN Admin authentication successful

jw.

cisco*

any

filter: - query_string: query: “cisco.id:("HTTP\/47" OR "SSH\/16")”

4

Cisco IOS - Cisco VPN Concentrator

CiscoVPN - Multiple VPN authentication failures

jw.

cisco*

frequency

query_key: “src.ip” num_events: 10 timeframe: minutes: 240 filter: - query_string: query: “cisco.id:("AUTH\/5" OR "AUTH\/9" OR "IKE\/167" OR "PPP\/9" OR "SSH\/33" OR "PSH\/23")”

5

Cisco IOS - Cisco ASA

Cisco ASA - VPN authentication failed

jw.

cisco*

any

filter: - query_string: query: “cisco.id:"\%ASA-6-113005"”

6

Cisco IOS - Cisco ASA

Cisco ASA - VPN authentication successful

jw.

cisco*

any

filter: - query_string: query: “cisco.id:"\%ASA-6-113004"”

7

Cisco IOS - Cisco ASA

Cisco ASA - VPN user locked out

jw.

cisco*

any

filter: - query_string: query: “cisco.id:"\%ASA-6-113006"”

8

Cisco IOS - Cisco ASA

Cisco ASA - Multiple VPN authentication failed

jw.

cisco*

frequency

query_key: “src.ip” num_events: 10 timeframe: minutes: 240 filter: - query_string: query: “cisco.id:"\%ASA-6-113005"”

Netflow SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Netflow - DNS traffic abnormal

stream-*

spike

threshold_ref: 1000 spike_height: 4 spike_type: up timeframe: hours: 2 filter: - query: query_string: query: “netflow.dst.port:53” query_key: [netflow.src.ip] use_count_query: true doc_type: “doc”

2

Netflow - ICMP larger than 64b

stream-*

any

filter: - query: query_string: query: “netflow.protocol: 1 AND netflow.packet_bytes:>64” query_key: “netflow.dst_addr” use_count_query: true doc_type: “doc”

3

Netflow - Port scan

stream-*

cardinality

timeframe: minutes: 5 max_cardinality: 100 query_key: [netflow.src.ip, netflow.dst.ip] cardinality_field: “netflow.dst.port” filter: - query: query_string: query: “_exists_:(netflow.dst.ip AND netflow.src.ip) NOT netflow.dst.port: (443 OR 80)” aggregation: minutes: 5 aggregation_key: netflow.src.ip

4

Netflow - SMB traffic

stream-*

any

filter: - query: query_string: query: “netflow.dst.port:(137 OR 138 OR 445 OR 139)” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc”

5

Netflow - Too many req to port 161

stream-*

frequency

num_events: 60 timeframe: minutes: 1 filter: - query: query_string: query: “netflow.dst.port:161” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc”

6

Netflow - Too many req to port 25

stream-*

frequency

num_events: 60 timeframe: minutes: 1 filter: - query: query_string: query: “netflow.dst.port:25” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc”

7

Netflow - Too many req to port 53

stream-*

frequency

num_events: 120 timeframe: minutes: 1 filter: - query: query_string: query: “netflow.dst.port:53” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc”

8

Netflow – Multiple connections from source badip

stream-*

frequency

num_events: 10 timeframe: minutes: 5 filter: - query: query_string: query: “netflow.src.badip:true” query_key: “netflow.src.ip” use_count_query: true doc_type: “doc”

9

Netflow – Multiple connections to destination badip

stream-*

frequency

num_events: 10 timeframe: minutes: 5 filter: - query: query_string: query: “netflow.dst.badip:true” query_key: “netflow.dst.ip” use_count_query: true doc_type: “doc”

MikroTik devices SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

All system errors

any

alert_text_type: alert_text_only alert_text: “System error\n\n When: {}\n Device IP: {}\n From: {}\n\n{}\n” alert_text_args: - timestamp_timezone - host - login.ip - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “topic2:error and topic3:critical”

2

All errors connected with logins to the administrative interface of the device eg wrong password or wrong login name

any

alert_text_type: alert_text_only alert_text: “Login error\n\n When: {}\n Device IP: {}\n From: {}\n by: {}\n to account: {}\n\n{}\n” alert_text_args: - timestamp_timezone - host - login.ip - login.method - user - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “topic2:error and topic3:critical and login.status:login failure”

3

All errors connected with wireless eg device is banned on access list, or device had poor signal on AP and was disconected

any

alert_text_type: alert_text_only alert_text: “Wifi auth issue\n\n When: {}\n Device IP: {}\n Interface: {}\n MAC: {}\n ACL info: {}\n\n{}\n” alert_text_args: - timestamp_timezone - host - interface - wlan.mac - wlan.ACL - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “wlan.status:reject or wlan.action:banned”

4

Dhcp offering fail

any

alert_text_type: alert_text_only alert_text: “Dhcp offering fail\n\n When: {}\n Client lease: {}\n for MAC: {}\n to MAC: {}\n\n{}\n” alert_text_args: - timestamp_timezone - dhcp.ip - dhcp.mac - dhcp.mac2 - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “dhcp.status:without success”

Microsoft SQL Server SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

Logon errors, alert any

Rule definition alert_text_type: alert_text_only alert_text: “Logon error\n\n When: {}\n Error code: {}\n Severity: {}\n\n{}\n” alert_text_args: - timestamp_timezone - mssql.error.code - mssql.error.severity - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.error.code:* and mssql.error.severity:*”

2

Login failed for users, alert any

alert_text_type: alert_text_only alert_text: “Login failed\n\n When: {}\n User login: {}\n Reason: {}\n Client: {}\n\n{}\n” alert_text_args: - timestamp_timezone - mssql.login.user - mssql.error.reason - mssql.error.client - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.login.status:failed and mssql.login.user:*”

3

server is going down, alert any

alert_text_type: alert_text_only alert_text: “Server is going down\n\n When: {}\n\n{}\n” alert_text_args: - timestamp_timezone - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.server.status:shutdown”

4

NET stopped, alert any

alert_text_type: alert_text_only alert_text: “NET Framework runtime has been stopped.\n\n When: {}\n\n{}\n” alert_text_args: - timestamp_timezone - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.net.status:stopped”

5

Database Mirroring stopped, alert any

alert_text_type: alert_text_only alert_text: “Database Mirroring endpoint is in stopped state.\n\n When: {}\n\n{}\n” alert_text_args: - timestamp_timezone - kibana_link use_kibana4_dashboard: “link do saved search” kibana4_start_timedelta: minutes: 5 kibana4_end_timedelta: minutes: 0 filter: - query_string: query: “mssql.db.status:stopped”

Postgress SQL SIEM Rules

Nr.

Architecture/Application

Rule Name

Description

Index name

Requirements

Source

Rule type

Rule definition

1

PostgreSQL

PostgresSQL - New user created

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: CREATE USER”’

2

PostgreSQL

PostgresSQL - User selected database

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: SELECT d.datname FROM pg_catalog.pg_database”’

3

PostgreSQL

PostgresSQL - User password changed

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”ALTER USER WITH PASSWORD”’

4

PostgreSQL

PostgreSQL - Multiple authentication failures

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

frequency

query_key: “src_ip” num_events: 5 timeframe: seconds: 25 filter: - query_string: query: ‘message:”FATAL: password authentication failed for user”’ use_count_query: true doc_type: doc

5

PostgreSQL

PostgreSQL - Granted all privileges to user

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: GRANT ALL PRIVILEGES ON”’

6

PostgreSQL

PostgresSQL - User displayed users table

User displayed users table

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: SELECT r.rolname FROM pg_catalog.pg_roles”’

7

PostgreSQL

PostgresSQL - New database created

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: CREATE DATABASE”’

8

PostgreSQL

PostgresSQL - Database shutdown

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: database system was shut down at”’

9

PostgreSQL

PostgresSQL - New role created

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: CREATE ROLE”’

10

PostgreSQL

PostgresSQL - User deleted

postgres-*

Filebeat, Logstash, PostgreSQL

pg_log

any

filter: - query_string: query: ‘message:”LOG: DROP USER”’

MySQL SIEM Rules

Nr. Architecture/Application Rule Name Description Index name Requirements Source Rule type Rule definition

1

MySQL

MySQL - User created

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”CREATE USER”’

2

MySQL

MySQL - User selected database

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”Query show databases”’

3

MySQL

MySQL - Table dropped

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”Query drop table”’

4

MySQL

MySQL - User password changed

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”UPDATE mysql.user SET Password=PASSWORD” OR message:”SET PASSWORD FOR” OR message:”ALTER USER”’

5

MySQL

MySQL - Multiple authentication failures

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

frequency

query_key: “src_ip” num_events: 5 timeframe: seconds: 25 filter: - query_string: query: ‘message:”Access denied for user”’ use_count_query: true doc_type: doc

6

MySQL

MySQL - All priviliges to user granted

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”GRANT ALL PRIVILEGES ON”’

7

MySQL

MySQL - User displayed users table

User displayed users table

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”Query select * from user”’

8

MySQL

MySQL - New database created

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”Query create database”’

9

MySQL

MySQL - New table created

mysql-*

Filebeat, Logstash, MySQL

mysql-general.log

any

filter: - query_string: query: ‘message:”Query create table”’