The quality of the correlation rules used by a SIEM correlation engine is a critical factor that determines its effectiveness.
For example, a correlation rule could be configured to detect repeated failed login attempts from a specific IP address within a short period. Such an event may indicate a brute force attack, and the correlation engine can automatically generate an alert for further investigation.
Second example, suppose an employee logs into their account from a new location, attempts to access unauthorized data, and then deletes the log files to cover their tracks. Individually, these events may not raise an alarm, but a correlation engine can detect this sequence of events and automatically generate an alert for further investigation.
These types of correlations have been known for decades.
Those rules are from 2010, 13 years before. These rules are from the “Successful SIEM and Log Management Strategies for Audit and Compliance” SANS document.
Alert when RDP is used to connect or attempt to connect to a single workstation
Alert when privileged user, added or non-privileged user added to a privileged user group
Alert when PowerShell is executed on a single server or workstation
Alert when an application stops &starts
Alert when local log files are cleared
Alert when 5 or more hosts trigger the same malware signature
Alert when critical system files are changed
Alert when files with executable extensions (cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat), are posted to a web server (internal/ dmz address), from an external source
Alert on 10 or more failed events from a single IP Address that is not part of the known internal network.
Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute
Alert on 7 or more IDS Alerts from a single IP Address in one minute
Alert on 3 or more failed logins in one minute on a single user ID
Alert on 3 or more failed logins in a minute from a single host
Alert on 3 or more events from a single IP Address in 10 minutes
Alert when a single host sees an identifiable piece of malware
Alert when a single host connects to 100 or more unique targets in 1 minute
Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), event to an IP Address that is not part of the known network and is known to have/use malware
Over time, SIEM correlation rules have evolved to keep pace with the changing threat landscape. The early rules were relatively simple and focused on specific types of activity that were considered high risk at the time. For example, the rules from 2010 focused on detecting RDP connections, privileged user activity, PowerShell execution, and other similar events.
In 2023, SIEM correlation rules have become much more sophisticated, leveraging advanced techniques such as machine learning and behavioral analytics to detect anomalies and patterns that may indicate malicious activity. Some of the newer rules focus on detecting masquerading, abnormal authentication behavior, impossible travel, and other more complex threats.
Modern SIEM correlation engines leverage advanced analytics and machine learning algorithms to detect complex security incidents. These algorithms must be intelligent and capable of analyzing large amounts of data in real-time. Additionally, the algorithms must be trained regularly to ensure that they can identify new security threats as they emerge.
For example, a SIEM correlation engine may use machine learning algorithms to detect unusual network activity that may indicate a breach. The algorithm can learn from previous security incidents and identify patterns that may indicate an attack, such as a spike in network traffic to a specific server.
And those rules are from 2023:
Mail Masquerade Detection: Warn if an e-mail was received from e-mail addresses similar to the original e-mail address like: [email protected] and ali.veli@citibαnk.com
Masquerading Detection: Detect system utilities, tasks, and services Masquerading. (T1036.003 Rename System Utilities Rename, T1036.004 Masquerade Task or Service)
Abnormal auth behavior: the user has never authenticated to this machine before at this time
Warn if a user is doing two different jobs at the same time (successful session-failed session, VPN-local login, URL Access-file Access, etc.)
Abnormal auth behavior: the user has never authenticated to this machine before from this source machine
Warn if a virus is detected on a client machine and not cleaned within 24 hours
Warning if a user is doing the same job on different systems at the same time (database and local login, log in on two servers at the same time, downloading files from the internet, and running processes)
Warn if the sum of the bytes processed parameter for web server access logs suddenly becomes too high
Impossible travel detection
If a user accesses sensitive files, and at the same time, the same user has a connection to file sharing sites, then notify.
Warn if PowerShell command with base64 format and more than 100 characters appears
Ratio of web errors is greater than %5
Warn if a user makes three failed login attempts in 60 minutes without a successful login
Warn if a server is shut down and not started within 24 hours
Look for a user whose http to DNS protocol ratio is higher than %95 of the other users for the last four-week ratio for 4th day of week (today)
The ratio of login success versus failure per user is an anomaly
Multiple logons with the same credentials at the same time from different IPs
Warn if a domain created in the last 24 hours is not in the top 1 million rankings and not in our whitelist
Warn if Shannon entropy score of a filename or process name or domain name is higher than 7.2
Hunting malware and viruses by detecting random strings
Warn if a user’s VPN stays open for more than 4 hours
Warn if a user created and not used for 72 hours
Warn if the time between two login events of the same user is less than 1 minute
Warn if the time between two logins failed events of the same user is less than 1 minute
If there is a port usage, which is very rare (like under %3)
Warn if a user has visited the malicious categories on the proxy at least once a day for a week. (Bot Networks, Uncategorized, Malware, Spyware, Dynamic DNS, Encrypted Upload)
Warn if a user who has not had a VPN for at least 15 days (20,30,40…265 days) has remote interactive logon on more than one (1) workstation in a short time.
File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine.
Realizing that Paula from Marketing is signed in from a mobile device and her office PC at the same time
TeamViewer activity and the download of Notepad++ was taking place at the same time
Warn if IP URL blocked by mail gateway is not blocked by Proxy.
DGA detection
If an account not used in at least the last 30 days (31,40,60,90,180 days etc ..), notify/lock/delete the account
Entropy to detect randomness of HTTP host value: Identify suspicious requests by reviewing queries of domains with a high level of entropy.
Calculate the randomness of PowerShell script contents that were executed.
Same source ip, over 300,000 bytes message size within 1 minute to destination port 53
New city access for the first time
VPN connection from a known anonymous proxy
Suspicious creation of new network ACL
Suspicious creation of security group
Suspicious deleting a rule from a network ACL
Suspicious deletion of customer gateway
Abnormal number of discover requests from a client
Abnormal activity duration/session count
Abnormal number of bytes transmitted
Abnormal amount of data egressed to competitor domains compared to past behavior
Abnormal amount of data egressed to non-business domains compared to past behavior
Abnormal amount of data egressed to personal email account compared to past behavior
Abnormal amount of data egressed to removable media compared to past behavior
First time user is performing an activity from this device
First VPN connection from device for the user
High number of accounts from the same IP for authentication failures or lockout events
High number of accounts from the same IP for successful authentications or run as events
High number of accounts used on a workstation for authentication failures or lockout events
High number of accounts used on a workstation for successful authentications or run as events
High number of hosts accessed for authentication failures or lockout events
High number of hosts accessed for successful authentication events or run as events
High number of hosts accessed while enumerating critical ports
High number of redirected/blocked attempts
High number of run as activity across hosts
High number of server errors
If a user accesses sensitive files and at the same time the same user has a connection to file sharing sites then notify
If an account not used in at least the last 30 days (31–40–60–90–180 days etc.) notify/lock/delete the account automatically
Logon from a rare country
New host logins
New processes / Registry changes
An odd time of access (first and last access)
An odd time of email activity
An odd time of logins
Password change rates
Successful/Failed login activity rates
Upload/download deviations
Warn if the sum of the bytes processed parameter for web server access logs suddenly becomes too high
Login time to this machine is abnormal
Warn if a user’s VPN stays open for more than 4 hours
Warn if a user created and not used for 72 hours
Warn if the time between two login events of the same user is less than 1 minute
Warn if the time between two logins failed events of the same user is less than 1 minute
If there is port usage, which is very rare (like under %3)
Warn if a user has visited the malicious categories on the proxy at least once a day for a week. (bot networks, uncategorized, malware, spyware, dynamic DNS, encrypted upload)
Warn if a user who has not had a VPN for at least 15 days (20,30,40…265 days) has remote interactive logon on more than one (1) workstation in a short time.
File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine.
Realizing that Paula from marketing is signed in from a mobile device and her office pc at the same time
TeamViewer activity and the download of notepad++ was taking place at the same time
Warn if IP/URL blocked by mail gateway is not blocked by proxy.
This user has not logged in during this time spot before, which is abnormal.
The number of login activities for this user within this time spot is abnormal.
It is rare for this user to use this port.
If there are more than 15,000 events from 50 unique IPs in 15 minutes, and these events fall under ten(10) unique categories, notify.
If the ratio of failed login attempts to successful login attempts in the last hour exceeds 5%, notify.
If a user’s total traffic in the last hour exceeds the 90th percentile of their total traffic usage in the last week by more than 10%, notify.
If there is an abnormality in the number of alerts generated by the IPS (intrusion protection system) during this time zone by looking at historical data, notify.
If a user accesses a domain they haven’t visited in the last day (or seven (7) days, or one (1) month), notify
If the difference between a user’s total download traffic yesterday (or in the last seven (7) days or one (1) month) and their total download traffic today is more than 25%, detect it.
If a new user logs in from a source IP to a target IP, detect it.
If the hourly login failure or success authentication rate exceeds 3%, detect it.
If the hourly HTTP/DNS rate is less than 1, detect it.
Notify if a user connects to a VPN and logs in locally simultaneously.
Notify whenever a user makes three unsuccessful login attempts consecutively within 30 minutes. (Without any successful login in between)
Do not trigger an alarm if a user is erased within 10 minutes of creation if this user did not use it ever. But send out a warning if it is used and subsequently erased.
If the same IP address logs in first to a Linux server and then to a Windows server, and then a service is opened/closed on one of these servers, generate an alert.
If a user makes at least three unsuccessful login attempts within 10 minutes without any successful login attempts in between, generate an alert.
If there has been no login for more than 3 months, generate an alert.
Create an alert if a user is created and isn’t utilized for 72 hours.
Provide an alert if a user log on to many workstations using remote interactive login after not using VPN for at least 15 days (20, 30, 40, or 365 days).
Notify if several requests with requestMethod=POST are sent to multiple destination IP addresses within 5 minutes, and the port is higher than 1024, is not a well-known proxy target port, and has not been used for at least the last 30 days (20, 30, 40, or 365 days).
If a machine or user who has been silent for at least 30 days (40 days, 60 days, 90 days, 365 days) is seen on the network again, shut down the machine and disable the user.
Notify when a user logs into multiple workstations at the same time
Alert when a user accesses a sensitive file or folder that they have not accessed before
Notify when a user changes their password multiple times within a short period of time
Notify when a user attempts to access a restricted website or service
Notify when a user attempts to access a network resource from an unauthorized location or device
Alert when a file with a known malware signature is detected on a workstation or server
Notify when a user attempts to install software on their workstation without proper permissions
Notify when a user attempts to bypass security measures, such as disabling antivirus software or accessing a blocked website using a proxy server.
Abnormal number of files being created or modified by a user
Abnormal number of failed logins from a particular IP address
Abnormal amount of network traffic from a particular IP address or subnet
Abnormal activity during non-business hours
Abnormal activity in user accounts that have been inactive for a long time
Abnormal activity on a user account that has been recently created
Abnormal use of USB devices on a system
Abnormal access patterns to sensitive data by a user
Abnormal use of PowerShell commands or scripts
Abnormal use of batch files or command line tools
Abnormal use of remote access tools like RDP or SSH
Abnormal use of mobile devices to access sensitive data or systems
Abnormal use of web proxies or VPN services on a network
Abnormal use of social media or file sharing services on a network
Abnormal use of encryption tools like TrueCrypt or VeraCrypt
Abnormal use of network protocols like SMB or FTP
Abnormal use of file types or extensions not commonly used on a network
Abnormal use of remote file transfer tools like SCP or SFTP
Abnormal number of files being created or modified by a user
Notify if a user downloads a large amount of data in a short period of time.
Alert if a user tries to log in with a username or password that is known to be compromised.
Notify if a user tries to access a resource they do not have permissions for, or if they try to escalate their privileges without authorization.
Detect if a file or folder is being accessed or modified by an unauthorized user or process.
Notify if a user is accessing a sensitive resource without using multi-factor authentication.
Alert if a user attempts to execute a script or program that is known to be malicious.
Detect if a device is connected to the network that is not authorized, or if a device is exhibiting unusual behavior.
Notify if a user attempts to install unauthorized software on their device or on the network.
Detect and notify multiple login attempts from different locations at the same time, which could indicate a brute-force attack on a user’s account.
Monitor and alert network traffic for multiple connections from the same IP address at the same time, which could indicate a potential denial-of-service (DoS) attack.
Identify and notify multiple instances of the same user account being active at the same time, which could indicate an account compromise or unauthorized access.
Alert when a user attempts to access sensitive data or systems from multiple locations at the same time, which could indicate a potential data breach or insider threat.
Monitor and alert access logs for multiple failed login attempts from the same user at the same time, which could indicate an attempted password-guessing attack.
Alert when a user is logged in from multiple geographic locations simultaneously, indicating a possible account compromise or unauthorized access.
Monitor and alert for multiple login attempts from the same IP address within a short period, which could indicate a brute-force attack.
Detect and alert when multiple users are accessing the same sensitive file or database at the same time, indicating a potential breach of access controls.
Identify and alert when a user is logged in from both a corporate network and a public Wi-Fi network at the same time, which could indicate a potential security risk.
Notify when a user attempts to access multiple restricted resources simultaneously, suggesting an attempt to escalate privileges or bypass security controls.
Alert when a user is accessing a critical system from multiple devices at the same time, suggesting a possible account compromise or data exfiltration.
Detect and alert when multiple users are attempting to access a single resource at the same time, indicating a potential denial-of-service attack.
