Basic Correlation Rules are applied at the session level and alert the user to specific activities that may be occurring in their environment. NetWitness Suite applies correlation rules over a configurable sliding time window. When the conditions are met, alert metadata is created for this activity and there is a visible indicator of the suspicious activity.
The following are sample correlation rules illustrating two use cases and the syntax.
Objective: In sessions where tcp.dstport exists, if there is any combination of ip.src and ip.dst where the count of unique instances of tcp.dstport > 5 within 1 minute, then alert. To achieve this objective, create a rule as follows:
- Rule Name: IPv6 Vertical TCP Port Scan 5
- Rule: tcp.dstport exists
- Instance Key: ip.src,ip.dst
- Threshold: u_count(tcp.dstport)>5
- Time Window: 1 min
Objective: In sessions where action==login and error==fail, if there is any combination of ip.src and ip.dst that appears in more than 10 sessions within 5 minutes, then alert. To achieve this objective, create a rule as follows:
- Rule Name: IPv4 Potential Brute Force 10
- Rule: action='login' && error='fail'
- Instance Key: ip.src,ip.dst
- Threshold: count()>10
- Time window: 5 mins
Both sample rules have the same instance key: ip.src and ip.dst. Because we are looking for unique combinations of ip.src and ip.dst that match the correlation condition, ip.src and ip.dst are primary keys.
Threshold can include an associated key that identifies the meta type that we are counting to determine if the condition is satisfied. In the first example, the associated key specified in Threshold is tcp.dstport. We are counting unique instances of tcp.dstport for every ip.src/ip.dst pair. In the second example, the associated key is not specified in the Threshold because it is merely a count of sessions. It is helpful to think of this scenario as counting unique session IDs and the associated meta is implicitly session.id. We are counting unique session.id for every ip.src/ip.dst pair.
Invalid use case: In sessions where (rule), if there is any combination of ip.src and ip.dst that have a unique count of ipv6.dst > 5 within (time window), then alert. This case does not work because the associated key ipv6.dst is an IPv6 meta type. IPv4 and IPv6 meta types are not permitted to be used as associated keys.
To add or edit a correlation rule
- Select the Correlation Rules tab.
- In the Correlation Rules tab, do one of the following:
- If adding a new rule, click .
- If editing a rule, select the rule from the rules grid and click .
The Rule Editor dialog is displayed with correlation rule parameters.
- In the Rule Name field, type a name for the rule. For example, to create the sample rule, IPv6 Vertical TCP Port Scan 5.
- In the Condition field, build the rule condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the window actions. As you build the rule definition, syntax errors and warnings are displayed by NetWitness Suite. For example, to create the sample rule, type tcp.dstport exists. When this condition is matched, the session data action is performed.
All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details.
- In the Threshold field, use one of the threshold parameters to specify the minimum number of occurrences required to create a correlation session and an associated key if required. The associated key cannot be an IPv4 or IPv6 meta type.
- u_count(associated_key) = the count of unique values of the specified key
- sum(associated_key) = the values of the specified key
- count = number of sessions (no associated key is specified)
- In the Instance Key field, select the target indicator to base the event upon. This can be a single key or a compound key (two primary keys, separated by a comma).
- In the Time Window, set the duration during which the threshold must be reached to create a correlation session.
- To save the rule and add it to the grid, click OK.
The rule is added at the end of the grid or inserted where you specified in the context menu. The plus sign is displayed in the Pending column.
- Check that the rule is in the correct execution sequence with other rules in the grid. If necessary, move the rule.
- To apply the updated rule set to the service, click Apply.
NetWitness Suite saves a snapshot of the currently applied rules, then applies the updated set to the Decoder or Log Decoder.