Hi, this is the first of a few articles I'm going to publish on different topics and the first topic we are going to discuss is about customizing the platform to get more value out of it or to achieve complex use cases.
In this post I want to share some simple application rules intended to promote a standard naming convention and approach to "tag" inbound/outbound connections as well as to name our networks.
Understanding which connection is going in or out our network is key to better focus our investigation, running our reports, configuring our alerts and could apply nicely to both logs and packets (of course provided we have both source and destination IPs to work with).
Tagging our network is instead very important to better determine which service is impacted, evaluate the risk accordingly and prioritize our followup actions.
In order to use the content attached to this pos,t we need first of all we need to create the following custom meta keys:
- Source/Destination Network Class (net.src, net.dst): this is to identify if a session is coming/going to an IP internal or external to our organization (e.g. intranet, extranet)
- Source/Destination Network Name (net.name.src, net.name.dst): this is for (optionally) "tag" the source/destination network with a specific name (e.g. finance, workstation, etc.)
- Source/Destination Network Environment (net.env.src, net.env.dst): this is for (optionally) "tag" the source/destination network environment with a specific name (e.g. production, test, development, etc.)
- Direction (direction): this is for tagging the connection as inbound or outbound
Then the application rules provided will populate the net.src and net.dst meta accordingly with:
- intranet (if coming/going to a RFC 1918 IP)
- extranet (if coming/going to a NOT RFC 1918 IP)
And the direction meta with:
- intranet (intranet to intranet communication)
- external (extranet to extranet communication)
- inbound (extranet to intranet communication)
- outbound (intranet to extranet communication)
The meta net.name.src, net.name.dst, net.env.src and net.env.dst are not instead populated by the application rules but can be optionally be populated by a custom feed.
The application rules, the custom decoder and concentrator index files, sample feeds as well as screenshots are provided in attachment.
Disclaimer: please DO NOT consider what is described and attached to this post as RSA official content. As any other unofficial material, it has to be tested in a controlled environment first and impacts have to be evaluated carefully before being promoted in production. Also note the content I publish is usually intended to prove a concept rather than being fully working in any environments. As such, handle it with care.