Interview Questions on

Correlation Rules (Use Cases)

What is Correlation?
Correlation is the process of identifying a suspicious activity by defining set of conditions.

Example: A user account created during non-business hours

Here there is a correlation between two (2) conditions.

• A event - User account created

• Time Condition - During non-business hours (Between 7pm and 7am)

How do you categorize correlation rules?

Different organization categorize correlation rules in different ways. Few of them are

Based on Device - Firewall based rules, AV based rules, Proxy based rules etc.

Based on Category - Malware, Access, Network, Database etc.

According to the phases of Cyber Kill Chain - Rule to detect Reconnaissance Phase or Exploit Phase etc.
What is a cross-platform correlation rule?

A correlation rule that involves at least two (2) different log source is called a cross-platform correlation rule.

Example 1: High severity IPS alert for a Vulnerable host

Here we are correlating an event from IPS plus we are using the data from the Vulnerability Assessment log
source

Example 2: Multiple RDPs after VPN access

Here we are correlating events from Firewall (for VPN access) and any server based on an authentication event.
Malware Use cases.
SI. No. Use case Description Pre-requisites Detection logic
If there is a malware detection on a server, it is
Create a List in SIEM of all Category= Malware
1 Malware detection on a Server definitely worth taking a look at irrespective of the AV �he servers Host (belongs to) Server List
action.
Category = Malware
This is when the AV detects the malware but is
2 Unhandled Malware None !Action = Delete failed OR Quarantine failed
unable to clean, delete or quarantine
or Clean Failed
Category= Malware
Indicates several users are targeted via an email or a No. of Unique host = 5
3 Same Malware on Multiple Host None
commonly used website rTime Windows = 1 hour
Malware Name is constant (group by)
Indicates either the user is trying to download or Category = Malware
Multiple Malware Infection on a copy a malicious file over and over again. OR a No. of Event = 5
4 None
Host malware is partially executed and trying to perform a [Time Window = 1 hours
activity that is being detected as malicious by AV Host should be constant (group by)
Create a List in SIEM of all
Outbound Communication to Blacklisted IPs. This is done
Log Source = Firewall
A compromised host is initiating communication to
5 Blacklisted IP OR Possible Direction = Local2Remote
its Command & Control �hrough Threat intelligence
Botnet Activity Detected Destination IP (belong to) Blacklisted IP List
integration
Log Source = DNS
Indicates the presence of Domain Generating
DNS Response = NXDOMAIN
6 Too Many DNS Lookup Failures Algorithm. DGAs are used by malware authors to None
No. of Event = 1000
avoid detections from Threat Intelligence.
Client is constant
Install an agent on the
High Resource (CPU or Memory) High resource consumption is an indication of servers that will provide
IAvg. Memory Consumption for 10 minutes>
7 90%
Utilization malware activity the resource utilization OR Avg. CPU Utilization for 1 O minutes> 90%
data
Install Sysmon to collect
process related Event = New Process Started
8 Unauthorized Process Detected A new (unknown) process is running in a server Process Name (Doesn't belong to) Authorized
information. Make a list of Processes List
all authorized processes
Use Cases on Firewall.
SI. No. Use case Description Pre-requisites Detection logic
Event Type Connection Denied
=
If an attacker is trying to connect over and over again
Too many firewall Denies for No. of Events = 300
1 and is being blocked. OR a malware is trying to None rTime Window = 5 minutes
same Source
connect to C&C and it is being denied
With Source IP constant
Event Type = VPN Authentication
2
VPN logins from Multiple Unique Geolocations = 2
A user cannot connect to VPN from 2 geo-location None
geolocations
With Username held constant
Log Source = Firewall
When a attacker tries to scan the available IPs as part Unique Destination IPs = 1 O
3 Horizontal Scan detected None rTime Window = 1 minute
of information gathering
With same Source IP
Log Source = Firewall
When a attacker tries to scan the available ports on a Unique Destination Ports = 100
4 Vertical Scan detected None r
server as part of information gathering Time Window = 1 minute
With same Source IP and Destination IP
Log Source = Firewall
Destination Port = List of Remote Access
Create a List of all Remote
Scanning on Remote Access When an attacker tries to connect to company server
V\ccess ports like 3389, 22,
Ports
5
Ports on remote access ports No. of Event = 20
21, 1433, 3306 etc. rTime Window = 30 minute
With same Destination IP
Log Source = Firewall
High Volume of connection from Countries the company doesn't do business with or if List of all countries of
6 the relationship of the country is not good with Source Country = List of Countries of
country of concern concern
home country concern
Log Source = Firewall
Outbound SMTP traffic from An infected machine might start sending spam email
Source IP!= List of Email Server
8 List of all email servers
Unauthorized Host rom inside the company. Destination Port = 25
If any client or server tries to connect to internet
directly (Usually done by users trying to do things
9 Proxy Bypass Attempt None
that are not allowed. OR it could be a malware trying
o connect to C&C
Use Cases on AD and Windows Logs.
SI. No. Use case Description Pre-requisites Detection logic

Event ID = 4720
1 Local account created User account created on server (not AD) None
Log Source ! = AD

User added/removed to admin Helps in monitoring accidental or attacker privilege Create a list of High Event ID =
2 group escalations Privileged Groups Group = List of High Privileged Groups

Event ID = 4740
3 Too many account lockouts Bruteforce is happening on several accounts None No. of Events >10
rTime Window = 1 hour

Service accounts are very sensitive as they have Event ID = 4724

4 Service Account Password Reset higher privileges and do not get locked out List of all service accounts User in List fo Service Accounts

Groups are not created very often, so it is good to Event ID = 4731, 4727 for created
5 AD Group Created/Deleted monitor group creations and deletions in AD None Event ID = 4734, 4730 for deleted

Domain Account Creation Event ID = 4720

6 Suspicious activity, Account created by Attacker None
During Non-Business Hours [Time (Not in) Monday- Friday 7am to 7pm

Event ID = 4724
7 Too many password resets Suspicious activity None No. of Event> 10
Time window = 1 hour

8 Audit Logs Cleared Attacker or a Admin is clearing the tracks None Event ID = 1102
Correlation Rules based on Cyber Kill Chain
Phase Use case
• Horizontal Scan detected
• Vertical Scan detected
Reconnaissance
• Directory Traversal (alerted by WAF)
• High Volume of connection from country of concern
Weaponization • This phase cannot be detected as it is done by the attacker at his side .
• Too many email from same domain
• Too many email with same Subject line
Delivery
• Email with multiple attachments
• Visit to malicious website
• Too many file modifications
Exploit
• Registry changes detected
• High Resource Utilization
Install
• New Process detected
• Communication to Bad reputation IP
Command & Control
• Too many DNS Lookup failures
• File modification
l\ctions on Objective • High volume of data outbound
• Critical Server Shutdown

I
How do you detect malware in the network without AV?

Behavior based malware detection.

• Outbound Communication to Blacklisted IP OR Possible Botnet Activity Detected
• Too Many DNS Lookup Failures (Indicates possible DGA running in the network)
• High Resource (CPU or Memory) Utilization
• Unauthorized Process Detected
How do you detect SQL Injection in SIEM?
We can write correlation to trigger on.
• SQLi related alert from I PS or WAF
• Unusual Username (User name with special characters used)
• Too many errors on Database
• Too many SELECT statements
• DROP command executed

These rules are typically run on Database Audit Logs

How do you detect Ransomware using SIEM?

We can write correlation to trigger on.

• Behavioral analysis for detecting user privilege escalation
• High Volume of administrator's logins.
• Monitoring of traffic parameters deviation from their baseline characteristics.
• Communication with malicious IP addresses, URLs, domains, and suspicious geographic destinations, as well as a traffic volume surge
may indicate ransomware presence in a network.
• File Modifications (if we have File Integrity Monitoring events)
Correlation Rule to detect Phishing Email.
We can write correlation to trigger on.
• Too many email from same domain
• Too many email with same Subject line
• Email from Blacklisted IP
• Email with multiple attachments
• Email blocked due to phishing link (Email gateway events)
• Communication to Bad URL