Skip to content

Alerting Guide


Content

1.1 Alerting Mode

CyberQuest’s alerting feature is a completely adaptable feature that can be set up and edited by the end-user: • The event that triggers the alert can be user-defined to respond to the most specific events need, ensuring great accuracy and reducing false alerting to a minimum. This can be done via the Settings menu item Alt text selecting the “Real Time alerts management” tab. Alt text

Pic.2.11.1: Navigating to alerts tab

In this tab, users can add, edit and delete alerts:

  • To add an alert, click the “Create new alert definition” button in the Actions menu. Alt text Pic.2.11.2: Creating a new alert

  • Each alert name description and added date is shown in the alerts management tab and individual alerts can be edited by pressing the Alt text button or deleted, by pressing the Alt text button .

  • When pressing the “Edit” button, an “Edit Alert” window will be opened where the alert can either be edited as a standalone alert or composed with one or more alerts to apply more filters depending on the user necessity. This is one of two ways that an alert can be set up. Alt text

Pic.2.11.4: Editing alerts

1.1.1 Configuring real time alerts examples

1.1.2 Alert Templates

Logon alert example

This scenario presumes setting up an alert for a specific user for two failed logons during a 60 seconds time interval.

Step 1. Access Settings mode by pressing the “Real Time alerts management” icon: Alt text

Pic.2.11.2.1: Reports icon

Step 2. To add the new alert, click the “Create new alert definition” button in the ALERTS menu:

  • The user will now create the alert for "Default - Audit policy change" by completing the following fields: Alt text Pic.2.11.2.2: Selecting the desired report
Setting Icons Description
Alert Name Alt text the specific field for alert name
ALERT ACTIVE Alt text a switch for the alert state (on / off)
Time Frame TTL (sec.) Alt text where we can change time in seconds for time to live (TTL) or hop limit is a mechanism that limits the lifespan or lifetime of data
Alert Security Score Alt text an interval that can be changed to put the main alerts that are more important
Alert Security Level Alt text _
Send as Alert Alt text has the purpose to send the alert or not
Has Script Rule Alt text if selected, we can put script rules, and we can edit the script on "Edit Script" below
Edit Script Alt text where the script will be added
Send via Email Alt text has the purpose to add the email to receive offers
  • Rules - > Alt text - here we will add the alert rules Alt text

Rule Conditions:

Setting Icons Description
Description Alt text the specific field for more information about the rule
Add field condition Alt text if you select the button, the following fields will appear:
NOT checkbox Alt text a switch for conditions state (on / off)
scrollview 1 Alt text the first scrollview where you can select from multiple fields
scrollview 2 Alt text the second scrollview where you can select the logical operators for the connection between scrollview1 and label1
label 1 Alt text the first label where you can put information related to scrollview 1
Delete Alt text delete the condition
Add report conditions Alt text with this button we select a report from the list of reports we want to turn into an alert

Alt text

Pic.2.11.2.3: Added alert message

Alt text Pic.2.11.2.4: Add New Alert – Audit policy change

Step 3.

The alert can be set up to send an email or an SMS when it occurs, but alternatively the alerts are shown in the alerts tab from the top menu:

Alt text Pic.2.11.2.5: Alerts tab

The alerts are displayed like regular events. In this example, the alert was set up to trigger when the EventID:4670 will appear. Because that is a result of combining the same type of response action, one alert will be triggered: The alert is triggered when will occur for the EventID:4670 (EventID which corresponds to Audit policy change event) will trigger when a second logon event occurs and the EventID is 4670 (This was previously set up in the “join rules” part of composing alerts) The results are the following:

Alt text Pic.2.11.2.6: Alerts

1.1.3 Configuring summary alerts examples

Logon alert example

The alerting scenario will be: notify the security office if a user accesses Facebook more than 50 times a day.

Step 1. Creating the report with the alert definition (basically a report that shows all the events with the necessary filters, in this case, Facebook website). This custom report once executed till finding all events that contain the word “Facebook” in them also with the relevant information (IP address, date, time etc.). To do this the necessary actions are as follows:

  • Click “Reports” Alt text button and common practice would be to make a new folder for this and any following custom reports so click “New Folder” Alt text from the reports tree on the top left. A popup will appear prompting for the new folder name. In this case the name is “Custom” click “Save”.

Alt text Pic.2.11.3.1: Create a New Folder in Reports Tab

Select this new folder and create a new report by clicking the “New Report” button. Alt text

Pic.2.11.3.2: New Folder in Reports Tab

1.1.4 Alert Templates

To create a new alert template navigate to any alert management (summary or real time) from the Settings -> Alerts menu Alt text

Click “New alert template” Alt text. This will open an alert template form window.

Real-time alert templates: Alt text

Summary alert templates: Alt text

In Settings -> Alerts -> Summary alerts management -> New Registered Summary Alert

The possible keywords are:

Setting Description
%AlertGeneratedTime% the creation time of the alert
%SummaryOnLevelX% the field which was selected for the summary on level X
%SummaryOnLevelXMatch% the value of the field matched on level X (if the summary type is avg or sum,the last level doesn't have a match, use SummaryValue instead)
SummaryType summary type of alert
SummaryValue the summary value (for avg and sum types)
Threshold The alerts’ defined threshold
TimeIntervalBack time interval
NumberOfEvents events included in the alert
EventAnalysisSection count of events per time intervals
First100EventsSection list of events (first 100 events list, including the fields selected from below)
AlertActionsSection section with actions for alert (view, acknowledge, false positive, delete)

Alt text

1.1.5 DTS Objects

Data Transformation Service Objects are JavaScript objects that are compiled at runtime. They are used for log enhancement, enrichment, decision making, alerting and other functionality.

A CyberQuest event has the following format:

{
  "EventID": "1-2000000000",    
  "LocalTime": "yyy-mm-dd hh:mm:ss.fff",
  "GMT": " yyy-mm-dd hh:mm:ss.fff",",
  "UserName": "blacklisted.user1",
  "UserDomain": "Demo",
  "SrcIP": "xxx.xxx.xxx.xxx",
  "DestIP": "xxx.xxx.xxx.xxx",
  "VersionMajor": "6",
  "VersionMinor": "2",
  "Computer": "A-PC.Demo.local",
  "Source": "Microsoft-Windows-Security-Auditing",
  "EventLog": "Security",
  "Category": "Logon",
  "EventType": "8",
  "Description": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1009658894-4016096118-1013530418-1275\r\n\tAccount Name:\t\tblacklisted.user1\r\n\tAccount Domain:\t\tDemo\r\n\tLogon ID:\t\t0xC2C9FA762\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tRemoteWorkstation\r\n\tSource Network Address:\t10.10.10.10\r\n\tSource Port:\t\t44214\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
  "S1": "S-1-0-0",
  "S2": "-",
  "S3": "-",
  "S4": "0x0",
  "S5": "S-1-5-21-1009658894-4016096118-1013530418-1275",
  "S6": "blacklisted.user1",
  "S7": "Demo",
  "S8": "0xc2c9fa762",
  "S9": "3",
  "S10": "NtLmSsp ",
  "S11": "NTLM",
  "S12": "RemoteWorkstation",
  "S13": "{00000000-0000-0000-0000-000000000000}",
  "S14": "-",
  "S15": "NTLM V1",
  "S16": "128",
  "S17": "0x0",
  "S18": "-",
  "S19": "10.10.10.10",
  "S20": "44214",
  "S21": "%%1833",
  "S22": "",
  "S23": "",
  "S24": "",
  "S25": "",
  "S26": "",
  "S27": "",
  "S28": "",
  "S29": "",
  "S30": "",
  "S31": "",
  "S32": "",
  "S33": "",
  "S34": "",
  "S35": "",
  "S36": "",
  "S37": "",
  "S38": "",
  "S39": "",
  "S40": "",
  "S41": "",
  "S42": "",
  "S43": "",
  "S44": "",
  "S45": "",
  "S46": "",
  "S47": "",
  "S48": "",
  "S49": "",
  "S50": "",
  .
  .
  .
  "S150": ""
}

S1-150 are extra string fields and are generally used to store extracted useful information from the event. The purpose of this is to correlate that use full information in dashboards and set alert triggers.

EXAMPLE: We can use a DTS object to check a dynamic or static list for blacklisted or unknown users. We use the getter function to check if the current user is part of a blacklist or a whitelist.

Case 1: the user is part of a blacklist : we can raise an alert that a blacklisted user has logged on to a computer with the RaiseAsAlert function

Case 2: the user is part of a whitelist : we do nothing(from an alerting point of view) just parse useful data if needed

Case 3: the user is not in either of the lists and we want to add unknown users to a blacklist by default . That can be achieved by using the setter function.

In order for a DTS object to receive an event as a parameter (for an event to be parsed) the following 3 preconditions need to be followed:

  1. Create a DTS object Alt text Alt text A new DTS object can be created from the setting menu by navigating to: “Settings”->“Rules”->”DTS Objects”->”New DTS Object”

  2. Create a Filter rule
    Alt text

A new Filter rule can be created from the setting menu by navigating to: “Settings”->“Rules”->”Filter Rules”->”New Filterrule”

The filter rule is a set of conditions that received events have to meet in order to be passed through one or more DTS Objects (parsed).

  1. Create a DA rule (data acquisition rule) Alt text

A new DA rule can be created from the setting menu by navigating to: “Settings”->“Rules”->”DA Rules”->”New DA Rule”

The DA rule is a decision making mechanism that sends Events (data) that meet criteria set by Filter rules through DTS objects and to Data Storage service and/or Data Analyzer service.

1.1.6 DTS Objects Built-in methods

DTS objects have custom built-in functions created with the purpose of interacting with Redis lists or with the alerting module. The functions are:

setter

Inserts values in Redis lists Parameters: [list_name],[list_key],[list_value][TTL]

Example: setter( ‘UserLists’,this.inputEvent.UserName,this.inputEvent.SrcIP,360 ); In this example the DTS object looks in ‘UserLists’ for the event’s UserName field and

Case1 If it already exists it changes its value ( SrcIP field) and resets the list entry duration to 360 seconds,

Case2 If it does not exist, it creates a new entry with UserName key and SrcIP value that has a 360 second expiration date.

getter

Gets values from Redis lists. Parameters: [list_name],[list_key]

Example: getter ( 'IPLists',this.inputEvent.SrcIP ); In this example the DTS object looks in 'IPLists' list for the current event’s SrcIP field and gets associated value.

RaiseAsAlert Generates an alert event with the desired settings. Parameters: event_list,[alert_name],[email_address(es)],[security_score],[security_level], [alert template]

Example: RaiseAsAlert(JSON.stringify(EventList),"MultipleLogins(10)","someone@company.com","7","7","Multiple Logins(10)");

In this example the DTS object alerts "someone@company.com” an when the "Multiple Logins (10)" alert is triggered and gives it a security score of 7 and a security level of 7.

Example: backEvents (‘SearchString’), NumberOfDays); Default NumberOfDays (if not specified) is 100. Searches for ‘SearchString’ and returns all the events that match the search in JSON format (array)

Example: backCount (‘SearchString’), NumberOfDays); Searches for ‘SearchString’ and returns the count of all the events that match the search.

Example: ConsoleLog (String); Logs desired String in in /var/log/data-acquisition.log