Indicators and Warnings

Introduction

Indicators and Warnings (I&W) is the forensic trail that is interesting to track or important to alert on when using a SIEM for security operations. Below, you will find a list of common situations that we as a SIEM community need to identify within the event stream. The idea behind this list of indicators and warnings is to provide a high level check list for all product testing for event identification as well as the official ArcSight Activate event categorization.

Indicators: Indicators are normal events that can be used to establish a baseline. Alone, they aren’t valuable or interesting. Combined, they make all the difference.

Warnings: These are abnormal events reported by the system. They are usually indicative of an attempt to cause harm or the cause of harm.

Indicators and Warnings Categories

The I&W Categories group the events from the devices to help organize and analyze what has happened.

How to Use I&W in Rules

Typically, when you start analyzing how a system behaves during specific activities, you start with a particular I&W as listed in one of the I&W tables below. Once you have identified the one event with all the appropriate aggregation fields you can start creating the rule. Once the rule is created, you will need to configure the Actions tab for that rule. The Common Categorization table is used to configure the categories that are dependent on the use case and device generating the event. The I&W tables below, will provide the settings for all other fields specific for a particular I&W. It is critical that we remain consistent as the content for L2, L3 and L4 is dependent on the categorization defined within these tables.

A good trick to simplify development is to copy the I&W rule from another product package and make the appropriate modifications within the copied rules.

Correlation Event Categorization

All rules should be properly categorized. Please see Activate Categorization for common categorization values, and Rule Set Event Field Actions in the Activate Rules Best Practices section for more information. The Indicators and Warnings worksheet, below, gives additional categorization fields and values for specific I&Ws.

Indicators and Warnings Worksheets

In the Indicators and Warnings Aggregation Fields columns, <Destination|Source> Host Info means address, zone resource, host name, asset resource, etc. <Destination|Source> User info means user name and user ID. Don't forget to aggregate on the Originator field!

System Changes Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
Software Installed Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Create /Attack Life Cycle/Activities/Establish Persistence /Host/Application /Success /Normal   System Monitored
Software Uninstalled Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Delete /Attack Life Cycle/Activities/Expand Access /Host/Application /Success /Normal   System Monitored
Service Installed Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Create /Attack Life Cycle/Activities/Establish Persistence /Host/Application/Service /Success /Normal   System Monitored
Service Uninstalled Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Delete /Attack Life Cycle/Activities /Host/Application/Service /Success /Normal   System Monitored
Log Deletion Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
High /Delete /Attack Life Cycle/Activities/Concealment /Host/Resource/File /Success /Suspicious   Triage
Essential Registry Changes Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Medium /Modify /Attack Life Cycle/Activities/Establish Persistence /Host/Resource/Registry /Success /Suspicious   Triage
Essential File Changes Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Medium /Modify /Attack Life Cycle/Activities/Establish Persistence /Host/Resource/File /Success /Suspicious   Triage
Essential Configuration Changes Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Modify/Configuration /Attack Life Cycle/Activities/Establish Persistence /Host/Resource/File /Success /Suspicious   System Monitored
Policy Changes Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Modify /Attack Life Cycle/Activities/Expand Access /Host/Resource/Policy /Success /Suspicious   System Monitored
OS Failed Updates Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Modify /Attack Life Cycle/Activities /Host/Operating System /Failure /Suspicious   Triage
Firewall Modifications Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Medium /Modify/Configuration /Attack Life Cycle/Activities/Expand Access /Host/Application/Service /Success /Normal   System Monitored
Time Modification Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Modify /Attack Life Cycle/Activities/Concealment /Host/Operating System /Success /Suspicious   System Monitored
Scheduled Task Customer
Originator
Destination Host Info
Source User Info
Process, File Name if possible
Low /Modify/Configuration /Attack Life Cycle/Activities/Expand Access /Host/Operating System /Success /Suspicious    
NOTE: We are using "Essential" instead of "Critical" because people are getting confused and thinking that these Indicators and Warnings (L1) are actually related to Situational Awareness (L2). A "Critical Host" is related to Situational Awarenes, but a "Critical File," or a "Critical Registry Key," or a "Critical Service" is generally only critical to the device (and every such device, no matter what network it is deployed on). To reduce this confusion, we have replaced "Critical" with "Essential" when used in reference to Indicators and Warnings.

System Errors Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
Application Changes Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Start /Attack Life Cycle/Activities/Expand Access /Host/Application /Success /Normal   System Monitored
Application Stopped Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Stop /Attack Life Cycle/Activities /Host/Application /Success /Normal   System Monitored
Service Started Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Start /Attack Life Cycle/Activities/Expand Access /Host/Application/Service /Success /Normal   System Monitored
Service Stopped Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Stop /Attack Life Cycle/Activities /Host/Application/Service /Success /Normal   System Monitored
Module Loaded Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Start /Attack Life Cycle/Activities/Expand Access /Host/Operating System/Module /Success /Normal   System Monitored
Driver Loaded Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Start /Attack Life Cycle/Activities/Expand Access /Host/Operating System/Driver /Success /Normal   System Monitored
Module Unloaded Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Stop /Attack Life Cycle/Activities /Host/Operating System/Module /Success /Normal   System Monitored
Driver Unloaded Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Low /Execute/Stop /Attack Life Cycle/Activities /Host/Operating System/Driver /Success /Normal   System Monitored
Application Crash Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Medium /Execute/Stop /Attack Life Cycle/Exploit /Host/Application /Failure /Suspicious   System Monitored
Service Crash Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Medium /Execute/Stop /Attack Life Cycle/Exploit /Host/Application/Service /Failure /Suspicious   System Monitored
Application White list Exceptions Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Medium /Execute/Start /Attack Life Cycle/Exploit /Host/Application /Attempt /Suspicious /Policy Triage
Suspicious File Execution Customer
Originator
Destination Host Info
Source User Info
Process Name, File Path
Medium /Execute/Start /Attack Life Cycle/Exploit /Host/Application/Malware /Success /Suspicious /Code Triage
OS is Booting up Customer
Originator
Destination Host Info
Host (System that is booting up)
Low /Execute/Start /Attack Life Cycle/Activities/Establish Persistence /Host/Operating System /Success /Normal   System Monitored
Unknown Process Started Customer
Originator
Destination Host, Host
Process Name, File Path
Medium /Execute/Start /Attack Life Cycle/Activities/Expand Access /Host/Operating System /Success /Normal   Triage

Entity Authentication Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
User Login Customer
Originator
Source Host Info
Destination Host Info
Destination User Info
Device Vendor/Product,
Method (if available, field changes)
Low /Authentication/Verify /Attack Life Cycle/Activities/Expand Access Depends on event source /Success /Normal   System Monitored
User Logout Customer
Originator
Source Host Info
Destination Host Info
Destination User Info
Device Vendor/Product,
Method (if available, field changes)
Low /Authentication/Delete /Attack Life Cycle/Activities Depends on event source /Success /Normal   System Monitored
User Lockout Customer
Originator
Source Host Info
Destination Host Info
Destination User Info
Device Vendor/Product,
Low /Authorization/Delete /Attack Life Cycle/Exploit /Actor/User /Success /Normal   System Monitored
User Locked out multiple times Customer
Originator
Source Host Info
Destination Host Info
Destination User Info
Source User Info
Device Vendor/Product,
Method (if available, field changes)
Medium /Authorization/Delete /Attack Life Cycle/Exploit /Actor/User /Success /Suspicious /Brute Force/Login Triage
Locked Out Account Reenabled Customer
Originator
Source Host Info
Destination Host Info
Destination User Info
Source User Info
Device Vendor/Product,
Method (if available, field changes)
Medium /Authorization/Modify /Attack Life Cycle/Activities/Expand Access /Actor/User /Success /Normal   System Monitored
Lockout Attempt Failed Customer
Originator
Source Host Info
Destination Host Info
Destination User Info
Source User Info
Device Vendor/Product,
Method (if available, field changes)
Medium /Authorization/Modify /Attack Life Cycle/Exploit /Actor/User /Success /Suspicious   Triage
Account Harvesting Customer
Originator
Source Host Info
Medium /Authentication/Verify /Attack Life Cycle/Recon /Actor/User /Failure /Suspicious /Brute Force/Harvesting Triage
Brute Force Attempt Customer
Originator
Source Host Info
Destination Host, Info
Destination User Info
Medium /Authentication/Verify /Attack Life Cycle/Activities/Expand Access /Actor/User /Failure /Suspicious /Brute Force/Login Triage
Failed Login to Default Account Customer
Originator
Source Host Info
Destination Host, Info
Destination User Info
Medium /Authentication/Verify /Attack Life Cycle/Recon /Actor/User /Failure /Suspicious /Brute Force/Harvesting Triage
Failed Login to Expired Account Customer
Originator
Source Host Info
Destination Host, Info
Destination User Info
Medium /Authentication/Verify /Attack Life Cycle/Activities/Expand Access /Actor/User /Failure /Suspicious /Brute Force/Harvesting Triage
Failed Login to Disabled Account Customer
Originator
Source Host Info
Destination Host, Info
Destination User Info
Medium /Authentication/Verify /Attack Life Cycle/Activities/Expand Access /Actor/User /Failure /Suspicious /Brute Force/Harvesting Triage
Failed Login to Unknown Account Customer
Originator
Source Host Info
Destination Host, Info
Destination User Info
Medium /Authentication/Verify /Attack Life Cycle/Recon /Actor/User /Failure /Suspicious /Brute Force/Harvesting Triage

Entity Management Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
User Created Customer
Originator
Destination User Info
Source Host Info
Source User Info
Low /Authentication/Add /Attack Life Cycle/Activities/Expand Access /Actor/User /Success /Normal   System Monitored
User Enabled Customer
Originator
Destination User Info
Source Host Info
Source User Info
Low /Authentication/Add /Attack Life Cycle/Activities/Expand Access /Actor/User /Success /Normal   System Monitored
User Delete Customer
Originator
Destination User Info
Source Host Info
Source User Info
Low /Authorization/Delete /Attack Life Cycle/Activities /Actor/User /Success /Normal   System Monitored
User Disabled Customer
Originator
Destination User Info
Source Host Info
Source User Info
Low /Authorization/Delete /Attack Life Cycle/Activities /Actor/User /Success /Normal   System Monitored
User Modify Customer
Originator
Destination User Info
Source Host Info
Source User Info
Low /Authorization/Modify /Attack Life Cycle/Activities/Expand Access /Actor/User /Success /Normal   System Monitored
User Added to Group Customer
Originator
Destination User Info
Source Host Info
Source User Info
Group Information
Low /Authorization/Add /Attack Life Cycle/Activities/Expand Access /Actor/Group /Success /Normal   System Monitored
User Removed from Group Customer
Originator
Destination User Info
Source Host Info
Source User Info
Group Information
Low /Authorization/Delete /Attack Life Cycle/Activities/Concealment /Actor/Group /Success /Normal   System Monitored
Group Created Customer
Originator
Destination User Info
Source Host Info
Source User Info
Group Information
Low /Authorization/Add /Attack Life Cycle/Activities/Expand Access /Actor/Group /Success /Normal   System Monitored
Group Deleted Customer
Originator
Destination User Info
Source Host Info
Source User Info
Group Information
Low /Authorization/Delete /Attack Life Cycle/Activities/Concealment /Actor/Group /Success /Normal   System Monitored
Group Modification Customer
Originator
Destination User Info
Source Host Info
Source User Info
Group Information
Low /Authorization/Modify /Attack Life Cycle/Activities/Expand Access /Actor/Group /Success /Normal   System Monitored
User Added to Privileged Group Customer
Originator
Destination User Info
Source Host Info
Source User Info
Group Information
Medium /Authorization/Add /Attack Life Cycle/Activities/Expand Access /Actor/User /Success /Normal   Triage

Firewall/IDS Specific Event Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
Recon Traffic Customer
Originator
Destination Host Info
Source Host Info
Signature Name/ID (Only for online lookups)
Low n/a /Attack Life Cycle/Recon n/a n/a /Suspicious /Scan/Port System Monitored
Exploit Attempts Customer
Originator
Destination Host Info
Destination Port
Source Host Info
Signature Name/ID (Only for online lookups)
Medium   /Attack Life Cycle/Exploit   /Attempt /Compromise   Triage
DoS Attempts Customer
Originator
Destination Host Info
Destination Port
Source Host Info (if it cannot be spoofed)
Signature Name/ID (Only for online lookups)
Medium   /Attack Life Cycle/Exploit   /Attempt /Compromise   Triage
Privilege Escalation Attempts Customer
Originator
Destination Host Info & Port
Source Host Info & Port
Source User Info
Medium   /Attack Life Cycle/Exploit   /Attempt /Compromise    
Protocol Anomalies Customer
Originator
Destination Host Info & Port
Source Host Info & Port
Low /Communicate /Attack Life Cycle/Activities/C2     /Suspicious /Traffic Anomaly System Monitored

High Number of Dropped Connections

(FW Deny Events)

Customer
Originator
Destination Host Info & Port
Source Host Info & Port
Medium   /Attack Life Cycle/Activities/C2     /Suspicious   System Monitored

Increase In Port Frequency

(FW Accept Events)

Customer
Originator
Destination Host Info & Port
Low   /Attack Life Cycle/Recon     /Suspicious   Triage
Direct Outbound Web Traffic Customer
Originator
Destination Host Info & Port
Source Host Info & Port
Low /Communicate /Attack Life Cycle/Activities/Concealment   /Success /Suspicious   System Monitored

Operating System Specific Event Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
Authentication Replay Attacks Customer
Originator
Destination Host Info & Port
Destination User Info
Source Host Info & Port
Source User Info
Medium /Authentication/Verify /Attack Life Cycle/Exploit /Host/Operating System /Attempt /Compromise   Triage
Debugging/Tracing Activity Customer
Originator
Destination Host Info
Source User Info
Destination User Info
Process Name
Medium /Execute /Attack Life Cycle/Recon /Host/Resource/Process /Success /Suspicious   Triage
Code/Data Injection Detected by OS Customer
Originator
Destination Host Info
Source User Info
Destination User Info
Process Name
Medium /Execute /Attack Life Cycle/Exploit /Host/Resource/Process /Attempt /Compromise   Triage

Proxy Specific Event Indicators and Warnings

I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
Malicious Domain Requests Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, category
Low /Communicate/Query /Attack Life Cycle/Exploit /Host/Application /Attempt /Suspicious /Exploit/Web/Client Triage
Embedded Malicious Redirect Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, Request URI, URI category
Low /Communicate/Response /Attack Life Cycle/Exploit /Host/Application /Attempt /Suspicious /Redirection/Web Triage
Content Type Delivered Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, Content Type
Low /Communicate/Response /Attack Life Cycle/Exploit /Host/Application /Attempt /Normal   System Monitored
File Delivered Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, Request URI, Request File Name
Low /Communicate/Response /Attack Life Cycle/Exploit /Host/Application /Attempt /Normal   System Monitored
High Number of Uncategorized Requests Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, category
Low /Communicate/Query /Attack Life Cycle/C2 /Host/Application /Attempt /Suspicious /Concern System Monitored
Proxy Avoidance Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, category
Medium /Communicate/Query /Attack Life Cycle/C2 /Host/Application /Attempt /Suspicious /Policy System Monitored
Web Service Non-Web Port Customer
Originator
Source Host Info & Port
Request Url, Request Url Host, Request Port
Low /Communicate/Query /Attack Life Cycle/C2 /Host/Application /Attempt /Suspicious /Information Leak/Covert Channel System Monitored
Abnormal Request Method Customer
Originator
Source Host Info & Port
Request Url, Method
Medium /Communicate/Query /Attack Life Cycle/Exploit /Host/Application /Attempt /Suspicious /Exploit/Web/Client System Monitored
Suspect User-Agent Customer
Originator
Source Host Info & Port
Request Client Application
Medium /Communicate/Query /Attack Life Cycle/Exploit /Host/Application /Attempt /Suspicious /Code/Web/Client Triage
Request with suspect authentication Customer
Originator
Source Host Info & Port
Source User Info
Request URL
Medium /Communicate/Query /Attack Life Cycle/Exploit /Host/Application /Attempt /Compromise /Exploit/Privilege Escalation Triage

Anti-virus Specific Event Indicators and Warnings


I&W Aggregation Fields Agent Severity Behavior Custom Format Object Outcome Significance Technique Event Annotation Stage
Unresolved Malware on C Drive Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Unresolved Malware on Other Drives Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Unresolved Malware on Registry Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Unresolved Malware in WINDOWS Directory Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Unresolved Malware in SYSTEM32 Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Unresolved Malware in PROGRAM FILES Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Unresolved Malware in Browser Cache Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code/Web/Client Triage
Multiple Machine Detections with Unresolved Malware Customer
Originator
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Multiple Unresolved Malware Detections on a Single Machine Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Multiple Unresolved Malware Detections with Same File Name Customer
Originator
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage
Possible Malicious Password Protected File Customer
Originator
Destination Host Info
Destination User Info
Virus Name
File Name
File Path
medium /Check/Security /Attack Life Cycle/Activities/Establish Persistence /Vector/Malware /Attempt /Compromise /Code Triage

-- PrenticeHayes - 10 Aug 2016
Topic revision: r18 - 06 Feb 2018, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback