Skip to content

Alerting Guide

Alerting Mode

Cyberquest’s alerting feature is a completely adaptable feature that can be set up and edited by the end-user:

  • The event that triggers the alert can be user-defined to respond to the most specific events need, ensuring great accuracy and reducing false alerting to a minimum. This can be done via the Settings menu item Alt text selecting the Alerts > Realtime tab.

Alt text

In this tab, users can add, edit, delete and export alerts:

  • To add an alert, click the “Create new alert definition” button in the Actions menu.

Alt text

  • Each alert has custom information, such as: name, active status, single or multiple rules for triggering the alert, added date, modified date, time frame (TTL), the alers's score and security level, sending an alert via Email address, select actions to be implemented once the alert got triggered, and the option to write a script that triggers an alert. Every alert definition has the following Actions buttons: Edit, Delete or Export.
  • When pressing the “Edit” button, an “Edit Alert” window will be opened where the alert can either be edited as a standalone alert or composed with one or more alerts to apply more filters depending on the user necessity. This is one of two ways that an alert can be set up.

Alt text

Configuring real time alerts examples

Logon alert example

This scenario presumes setting up an alert for a specific user for two failed logons during a 60 seconds time interval.

Step 1. Access Settings mode by pressing the Alerts > Realtime icon:

Alt text

Step 2. To add the new alert, click the “Create new alert definition” button in the ALERTS menu:

  • The user will now create the alert for "Default - Audit policy change" by completing the following fields:

Alt text

Setting Icons Description
Alert Name Alt text The Alert name
ALERT ACTIVE Alt text Check box to activate or deactivate the alert
Time Frame TTL (sec.) Alt text The time (in seconds) for the alert to collect information that match the alert rules. It is available only for correlated alerts.
Alert Security Score Alt text A customizable setting to set the importance of the alert, from 1 to 100.
Alert Security Level Alt text A customizable setting to set the critical level of the alert from 1 to 10.
Send as Alert Alt text Check box for activate or deactivate the send alert notification.
Has Script Rule Alt text If activated, it will enable the edit button "Action Parameters"
Action Parameters Alt text It sets the parameters of the action.
Send via Email Alt text Check box for send alert notification to email.

Rules

This section allows for alert rules setup. One, or multiple rules can be added for a more complex correlated alert.

Alt text

Rule Conditions

The rules are filled in with the following:

Setting Icons Description
Description Alt text Name of the rule number 1
Add field condition Alt text Button for adding a new Condition in the Alert definition
NOT checkbox Alt text Check box for excluding events that match the condition
scrollview 1 Alt text List of fields available for the condition
scrollview 2 Alt text List of operators like: equal, not equal, Is In List, etc for matching with the next field.
label 1 Alt text The matching variable founded on the field selected at scrollview 1
Delete Alt text It deletes the condition
Add report conditions Alt text Select a report from the predefined Reports list, as a condition in the alert.

Added alert message

Once the alert setup is completed and the settings are saved, a pop-up will confirm the alert has been successfully edited.

Alt text

Once saved, the alert will appear in the list of alerts.

Alt text

Step 3. The alert can be set up to send an email, or a message on Teams, Slack or Jira when it occurs.

All the generated alerts are shown in the alerts tab from the top menu:

Alt text

All the alerts are generated in real time when the conditions defined in the Real Time Alert are met, and displayed as events in the Alerts module. In this example the alert was generated based on collecting an event from the windows security log with the Windows Event ID 4670 (Audit policy change).

Configuring summary alerts examples

Failed logon alert example

The alerting scenario will be: notify the security office if a user failed to log on more than 50 times a day.

Step 1. Create the report with the alert definition (basically a report that shows all the events with the necessary filters, in this case, An account failed to log on). This custom report once executed will find all events that match the report definition in them. Also it will send as a notification relevant information like (IP address, User Name, date, time etc.). To do this the necessary actions are as follows:

  • Open “Browser” module by clicking the Alt text button and in the filter field search for “EventID:4625” which is the windows event id for the event: “An account failed to log on”. Press the Alt text button to show the matching events.

  • Click on the save Alt text button and select the option Alt text and fill up the “Name” and “Description” fields with “An account failed to log on”. By default the new created report will be saved in the “Custom reports” folder in the “Reports” module.

Alt text

Step 2. Create a new Summary alert using the new created report. Open Settings > Alerts > Summary and click on Add Registered Summary Alert Alt text in the “action” menu.

Alt text

Field Description
Name Name of the Summary Alert
Report Matching events defined in the report configured at Step 1
Security Score (1-100) Custom security score for classifying the alert (1 to 100)
Security Level (1-10) Custom security level for categorizing the alerts (1 to 10)
SummaryOn Level 1 Selects all the events that have the same value on the selected field (UserName)
SummaryOn Level 2 Selects all the events that have the same value on the selected field (SummaryOn Level 1=UserName) and SummaryOn Level 2=Computer
SummaryOn Level 3 Selects all the events that have the same value on the selected field (SummaryOn Level 1=UserName) and SummaryOn Level 2=Computer and the SummaryOn Level 3 field
Time Time unit for selecting the events matched on the last SummaryOn Level n
TimeInterval Unit Time type (Minutes, Hours, Days Week or Month)
Summary type Count, Sum or Average events that match the settings defined above
Split into groups of Splits the events attached to the Summarized alert in
Threshold Number of events that match the conditions above in the time
Notifications (one email address per line) The email address for sending notification alert
Template used for notification Email template for the notification
Is Active? ON/OFF – Enable or Disable the Alert

Alert Templates

To create a new alert template navigate to any alert management (summary or real time) from the Settings -> Alerts -> Notification templates

Click “New alert template” Alt text . This will open an alert template form window.

Alt text

DTS Objects

Data Transformation Service allows for arising alerts by checking the internal lists of objects. The objects are used for log enhancement, enrichment, decision making, alerting and other functionalities.

A CyberQuest event has the following format:

{
  "EventID": "1-2000000000",
  "LocalTime": "yyyy-mm-dd hh:mm:ss.fff",
  "GMT": "yyyy-mm-dd hh:mm:ss.fff",
  "UserName": "blacklisted.user1",
  "UserDomain": "Demo",
  "SrcIP": "xxx.xxx.xxx.xxx",
  "DestIP": "xxx.xxx.xxx.xxx",
  "VersionMajor": "6",
  "VersionMinor": "2",
  "Computer": "A-PC.Demo.local",
  "Source": "Microsoft-Windows-Security-Auditing",
  "EventLog": "Security",
  "Category": "Logon",
  "EventType": "8",
  "Description": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1009658894-4016096118-1013530418-1275\r\n\tAccount Name:\t\tblacklisted.user1\r\n\tAccount Domain:\t\tDemo\r\n\tLogon ID:\t\t0xC2C9FA762\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tRemoteWorkstation\r\n\tSource Network Address:\t10.10.10.10\r\n\tSource Port:\t\t44214\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
  "S1": "S-1-0-0",
  "S2": "-",
  "S3": "-",
  "S4": "0x0",
  "S5": "S-1-5-21-1009658894-4016096118-1013530418-1275",
  "S6": "blacklisted.user1",
  "S7": "Demo",
  "S8": "0xc2c9fa762",
  "S9": "3",
  "S10": "NtLmSsp ",
  "S11": "NTLM",
  "S12": "RemoteWorkstation",
  "S13": "{00000000-0000-0000-0000-000000000000}",
  "S14": "-",
  "S15": "NTLM V1",
  "S16": "128",
  "S17": "0x0",
  "S18": "-",
  "S19": "10.10.10.10",
  "S20": "44214",
  "S21": "%%1833",
  .
  .
  .
  "S150": ""
}

S1 to S150 are extra string fields and are generally used to store extracted useful information from the event. The purpose of this is to correlate that use full information in dashboards and set alert triggers.

Example: We can use a DTS object to check a dynamic or static list for blacklisted or unknown users. We use the getter function to check if the current user is part of a blacklist or a whitelist.

Case 1: the user is part of a blacklist : we can raise an alert that a blacklisted user has logged on to a computer with the RaiseAsAlert function

Case 2: the user is part of a whitelist : we do nothing (from an alerting point of view) just parse useful data if needed

Case 3: the user is not in either of the lists and we want to add unknown users to a blacklist by default . That can be achieved by using the setter function.

In order for a DTS object to receive an event as a parameter (for an event to be parsed) the following 3 preconditions need to be followed:

  1. Create a DTS object Alt text

    Alt text

  2. A new DTS object can be created from the setting menu by navigating to: “Settings”->“Rules”->”DTS Objects”->”Add DTS Object”

  3. Create a Filter rule

    Alt text

  4. A new Filter rule can be created from the setting menu by navigating to: “Settings”->“Rules”->”Filter Rules”->”Add Filter Rule”

  5. The filter rule is a set of conditions that received events have to meet in order to be passed through one or more DTS Objects (parsed).

  6. Create a DA rule (data acquisition rule)

    Alt text

  7. A new DA rule can be created from the setting menu by navigating to: “Settings”->“Rules”->”DA Rules”->”Add DA Rule”

  8. The DA rule is a decision making mechanism that sends Events (data) that meet criteria set by Filter rules through DTS objects and to Data Storage service and/or Data Analyzer service.

DTS Objects Built-in methods

DTS objects have custom built-in functions created with the purpose of interacting with Redis lists or with the alerting module. The functions are:

"setter" -- Inserts values in Redis lists

Parameters: [list_name],[list_key],[list_value][TTL]

Example:

setter(‘UserLists’,this.inputEvent.UserName,this.inputEvent.SrcIP,360);

In this example the DTS object looks in ‘UserLists’ for the event’s UserName field.

Case1: If it already exists it changes its value ( SrcIP field) and resets the list entry duration to 360 seconds.

Case2: If it does not exist, it creates a new entry with UserName key and SrcIP value that has a 360 second expiration time.

"getter" -- Gets values from Redis lists.

Parameters: [list_name],[list_key]

Example:

getter('IPLists',this.inputEvent.SrcIP);

In this example the DTS object looks in 'IPLists' list for the current event’s SrcIP field and gets associated value.

"RaiseAsAlert" -- Generates an alert event with the desired settings.

Parameters: [event_list](json format),[alert_name],[email_address(es)],[security_score],[security_level], [alert template]

Example:

RaiseAsAlert(JSON.stringify(EventList),"MultipleLogins(10)","someone@company.com","7","7","Multiple Logins(10)");

In this example the DTS object alerts "someone@company.com” when the "Multiple Logins (10)" alert is triggered and gives it a security score of 7 and a security level of 7.

Example:

backEvents(‘SearchString’), NumberOfDays);

Default NumberOfDays (if not specified) is 100. Searches for ‘SearchString’ and returns all the events that match the search in JSON format (array)

Example:


backCount(‘SearchString’), NumberOfDays);

Searches for ‘SearchString’ and returns the count of all the events that match the search.

Example:


ConsoleLog(String);

Logs desired String in in /var/log/data-acquisition.log