How to detect network scan using EQL

msszafar · March 7, 2021, 11:30pm

Hi All,

Can anyone please help me setting up a simple correlation rule using EQL that detect if same source.ip attempts more than 50 destination.ip within 15 minutes.

I'm unable to write EQL.

I've fortigate logs, my correlation rule is like

sequence by source.ip maxspan=15m
[network where event.action == "deny"]
[network where true]

I know here by source.ip means same source.ip. network is value present in the event.category field. network where true is just because there must have two sequence patterns in brackets . 2nd condition is like event.category network should exists.

How EQL will detect more than 50 destination.ip?

rw-access · March 10, 2021, 6:19am

Hi @msszafar,

It looks like you have the core idea right, that by and maxspan=15m are two ways to add your conditions to the query. Currently, there's no shorthand to say "at least 50 events" within the sequence. The only way to do that today with EQL:

sequence by source.ip with maxspan=15m
  [network where event.action == "deny"]
  [network where event.action == "deny"]
  [network where event.action == "deny"]
  [network where event.action == "deny"]
  [network where event.action == "deny"]
  // 45 more times

There are some discussions to make this syntax more expressive and succinct. But I'm not sure what/when that will be.

Alternatively, you can play around with a threshold rule which aggregates of a lot of things that look the same. It doesn't have sliding windows like EQL, but it will most likely be more performant.

Hope this helps!
Ross

msszafar · March 10, 2021, 6:23am

Sir, As per my usecase, if 1 source IP attempts more than 50 unique destination IPs within 15 minutes then it should trigger an alert.

How should I write EQL that detect if more than 50 unique destinations were accessed from same source IP within 15 minutes.

rw-access · March 10, 2021, 7:11am

Oh, more than 50 unique destinations. I'm sorry I didn't understand that part.

There's no way to do that in EQL today. I understand that there is a feature under active development for threshold rules that should be able to satisfy these conditions:

same source IP
within a 15m bucket (not sliding window, but you can emulate on with from/to parameters combined with the scheduling interval)
more than 50 unique destination addresses.

msszafar · March 10, 2021, 6:34pm

Thank you very much

system · April 7, 2021, 6:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.