basic event correlation rules

7/29/2019 Basic Event Correlation Rules

1/13

1 Copyright 2012 EMC Corporation. All rights reserved.

Discover. Investigate. Remediate.

Basic Event Correlation Rules


2/13


What is Event Correlation?Event correlation is the analysis a mass of events, pinpointing of the

most significant ones, and triggering actions.

It is generally composed of 4 steps:

A. Event FilteringDiscarding events that are irrelevant to the event

correlator.

B. Event AggregationMerging of duplicates of the same event.

C. Event Masking

Ignoring events that pertain to systems downstream of afailed system.

D. Root Cause AnalysisAnalysis of dependencies between events.


3/13


Nextgen/NWFL Process Flow

Log/PacketCapture

NetworkRules

Parse

MetaExtraction

Feeds

App rules

BasicEvent

CorrelationRules

Write Meta


4/13


Basic Event Correlation Rules

name=name-stringrule=app-rulekey=primary-key[,primary-key]thresh=op-string(assoc-key)>value[mb|kb|gb]timewin=value[min|hr|sec]

name-string (Rule Name)will be added as meta when an event occurs

app-rule (Rule)is a valid application rule

primary-key (Instance Key)is a valid language key (e.g. ip.src, ip.dst, etc) with a type ofIPv4, IPv6, orUInt16. If a second primary key is specified, it must be of the same type as the first.

op-string ( Threshold)is one of:

u_count - count unique values of the specified key

sum - sum the values of the specified key

count - number of sessions (no key-string needs to be specified)

assoc-keyis a valid language key with a type of IPv4, IPv6, UInt16, UInt32, or UInt64. If a compound key

(two primary-keys) is specified, then the assoc-key cannot be IPv4 or IPv6.value for thresh is not scaled if units are not specified

value for timewin defaults to seconds if units are not specified


5/13


BEC Rule Implementation

BEC Rules can be applied to decoders, logdecoders and concentrators.

In NwAdministrator, you can manage BEC

rules in the Adaptors and Rules section.

In SA, you can manage them inAdministration, Devices, View, Config.


6/13


Sample BEC Rule

name="IPv4 Vertical TCP Port Scan 10" rule="tcp.dstport exists"order=13 thresh=u_count(tcp.dstport)>10 key=ip.src,ip.dst

timewin="1 min" type=correlation


7/13


BEC Event Filtering

rule=app-ruleThe rule is the filter to pinpoint those sessions that are of

interest.

It follows the same syntax and works like an App Rule.

rule="tcp.dstport exists

will send all sessions that have the tcp.dstport meta fieldpopulated on for correlation.


8/138 Copyright 2012 EMC Corporation. All rights reserved.

BEC - Aggregation

key=primary-key[,primary-key]

key=ip.src,ip.dst

Aggregate (group) filtered sessions by the primary key. In thiscase, we are grouping the sessions by pairs of source anddestination IP.



BEC - Analysis

thresh=op-string(assoc-key)>value[mb|kb|gb]timewin=value[min|hr|sec]

thresh=u_count(tcp.dstport)>10

Perform an analysis of the grouped, filtered sessions against theassociate-key until the threshold is reached.

Then trigger the creation of a meta session in this case andAlert.



Thresholds

For the threshold, you do not need to havean associate key, you can just count sessionsthat match the filter (e.g. thresh=count()>10).

The threshold can be: sum, count andu_count (unique count).



Key Constraints

The primary key can only be: IPv4, IPv6 orUInt16 data types.

You can only have 2 primary keys.

The associate key can only be: IPv4, IPv6,UInt16, UInt32, and UInt64 data types.

The associate key cannot be IPv4 or IPv6 if

you have a compound (two) primary keys.



Best Practices

Consider using meta generated by feeds andapp rules rather than checking all sessions.

Be Careful: Correlation Rules can have an

impact on capture rates and performance.Always test their impact prior to pushing toproduction.


13/1313 C i ht 2012 EMC C ti All i ht d

Questions?

Comments?

Thank You.

basic event correlation rules

Documents