How to create a complex detection rule (indicator + correlation)?

VellayLoket · June 30, 2023, 12:56am

For example, i have list with malware domains.
I save logs from my DNS servers.
I want to create alert when any client of my network has request for malware domain name.
And with this, i need to aggregate this requests - for example the client had made 50 requests and ELK creates only 1 alert.
Is it possible to create such detection rule?

justin_ibarra · July 26, 2023, 9:09pm

Hey there

You should be able to take advantage of marking rules as building block to achieve what you want.

Create an indicator match rule which matches domain lookups from your DNS logs against your malware domains list and mark it as building block (this will generate the alert document in the alerts index, but not create an alert in the table)
create a threshold rule looking at your alerts index, with the query of event.kind:signal and kibana.alert.rule.rule_id:<rule-id-of-indicator-match-rule> and group by the domain field >= 50

This should generate one alert for you for every 50 matches against a known bad domain.

VellayLoket · July 28, 2023, 4:03am

Can use this "building block" on 7.15.2 version?

VellayLoket · July 28, 2023, 4:06am

And btw, if i have too different PC and they try to connect to malware website for example - can this mark (building block) aggregate they separately?
I mean - i want to see as result two alerts (1 for the first PC and 1 for the second)

justin_ibarra · July 28, 2023, 6:23am

Yep, building block has been available from very early on.

To create an alert for each individual host, in addition to adding your domain field to group by, you can also add the host, with host.id or any other host-specific UUID. Group by allows multiple fields (as of 7.12 IINM)

VellayLoket · August 1, 2023, 5:38am

How can i check the alert indices for building blocks really was created?
Can you give example query?

VellayLoket · August 1, 2023, 6:21am

I had create a test rules:
one for building blocks and one for alert creation
The rule for alert creation use goup by user.name and count for client.ip (all uniqs).
So it looks like work but in alerts i don't see fields client.ip and geo information (i see all this information in building blocks).

VellayLoket · August 3, 2023, 2:07am

I cant' group alerts with client.ip.keyword field (btw i can use only *.keyword fields there) because system index template .siem-signals-default have map client.ip as ip. So i got error that client.ip must be object not ip and i can't edit that mapping cause that is system index template.

system · August 31, 2023, 2:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with rules creation SIEM detection-rules	15	1717	May 5, 2022
Building block rules/use case SIEM	8	2012	December 8, 2020
Detection Rule - Output of a aggregation bucket should match with other types of logs in the same index SIEM	2	704	February 2, 2022
Many open alarms (building blocks) due to Correlation rules Elastic Security	2	213	November 16, 2023
SIEM custom rule to generate an alert if multiple users attempts with same source IP or same mac address Elastic Security elastic-stack-alerting	3	820	December 30, 2021

How to create a complex detection rule (indicator + correlation)?

Related topics