Scribd
Upload
177 views13 pages

TI-SIEM Rule Tuning

The SOC is unable to activate or deactivate rules due to limited rights. They have requested the rights of T2 analysts be revised. There were multiple high severity incidents detected in the last 30 days related to attacks, vulnerabilities, and unauthorized access. The SOC provided observations on specific alerts and suggestions to improve the rules and exclusions to reduce false positives. The status of addressing the requests is currently pending.

Uploaded by

Dark Storm Wolf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
177 views13 pages

TI-SIEM Rule Tuning

The SOC is unable to activate or deactivate rules due to limited rights. They have requested the rights of T2 analysts be revised. There were multiple high severity incidents detected in the last 30 days related to attacks, vulnerabilities, and unauthorized access. The SOC provided observations on specific alerts and suggestions to improve the rules and exclusions to reduce false positives. The status of addressing the requests is currently pending.

Uploaded by

Dark Storm Wolf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Date

12/12/2022
Description

SOC is unable to active/deactivate the rules due to limited rights, and requests to revise the rights of
T2 analysts
Status
Severity Incident Title Count in Last 30 Days

High Traffic to ET IP List 75

High XTRN: Remote Desktop From Internet 29

High DoS Attack Detected by NIPS 25

High Traffic To Bogon Networks 24

Multiple Logon Failures:Same Src and Dst and


High 13
Multiple Accounts

High SAM - Compromised Host Detected 11

Outbound Cleartext Password from non guest


High 5
network detected

High Windows Suspicious Logon Failures 3

High Auto Service Stopped 3


High High Severity Outbound Permitted IPS Exploit 2

High DoS Attack on Network Devices 1


High Brute-Force Host Login Success 1

High Permitted Traffic From FortiGuard Malware IP List 1

High Disabled Account Logon Attempts 1


Concurrent Successful Authentication to Same
High 1
account from multiple countries
Concurrent Successful Authentication to Same
High 1
account from multiple cities

High System Critical: DataManager event store failed 1

Multiple Logon Failures: Same Src and multiple


High 1
destinations
High XTRN: VNC From Internet 1
Rule Descriptioin

Detects network traffic to emerging threat


IP List

Detects remote desktop from the Internet,


which is defined as anything outside the
Internal network. Please make sure that
the Internal network definition is correct
to avoid false positives. Remote desktop is
detected from a windows log or from a
flow to the RDP port

Detects high severity Denial of


Service Attacks on a server that typically
exploits a code vulnerability and causes
excessive resource (CPU or memory)
utilization on the server

Detects outbound permitted traffic to


bogon networks. These are IP address
spaces not yet allocated by IANA and
may indicate that the source host is
compromised. Note that these addresses
change frequently.

Detects same source having excessive


login failures at the same destination host
but multiple distinct accounts are used
during the logon failure

Detection of compromised host

Detects outbound usage of protocols that


use clear text passwords e.g. FTP, Telnet,
POP from non-guest network

Detects suspicious logon failures for the


following reasons - account disabled, time
of day violation, forbidden logon, error
during logon, account locked out
Detects a high severity IPS exploit
detected by IPS - - from internal networks
permitted to external network
Observation and Suggestion

All Traffic is originating from guest network i.e. 113.29.107.8

Inbound Traffic from external addresses towards 192.168.128.65 is observed.


USHUB Allen TX 192.168.131.1 / 192.168.128.65 DMVPN Hub Router [Public
208.35.223.133] [Critical]

Multiple internal hosts carrying out vulnerability scanning activity

Sessions have been established for longer durations however no data-exchange has
been observed in any of the recently trigerred alerts.
Suggestion

Increase the aggregate count of matched events from 1 to 10


Exclude the guest network 113.29.107.8

Only START logs are being populated in FAZ against the


destination host
SIEM rule is trigerring on the FAZ Logs
IT team to ensure proper logging on the destination host
[Level:4] - SIEM rule shall be tuned accordingly

Need a list of whitelisted scanners to exclude from the alerts

192.0.0.2 is skype portal -


SOC has created a rule with the exclusion however the rule
wasn't activated due to limited rights. Enerflex team has been
requested to enable the user created rule and disable the system
rule.

Need to verify if any other host is residing in the subnets


[192.0.0.0/24 and 192.0.2.0/24]. If so, SOC shall be provided the
list for exclusions.
Current Status

Pending

Pending

Pending

Pending

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy