Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Meta] UEBA/EA via Detection Engineering Approach Design/PoC #3086

Closed
6 tasks
Aegrah opened this issue Sep 11, 2023 · 5 comments
Closed
6 tasks

[Meta] UEBA/EA via Detection Engineering Approach Design/PoC #3086

Aegrah opened this issue Sep 11, 2023 · 5 comments
Assignees
@Aegrah
Labels
Meta stale 60 days of inactivity Team: TRADE

Comments

@Aegrah
Copy link
Contributor

Aegrah commented Sep 11, 2023
edited
Loading

Summary

This Meta focusses on the research relating to building a UEBA/EA approach through detection engineering. We will explore the usage of detection rules (with a main focus on new_terms rules) to chain suspicious behavior together and assign risk to entities. This will be phase 1 of this research, and will focus on creating a design doc / PoC to build upon in later metas.

Approach

This approach is inspired by the work over at InfoSec. The approach would look as follows:

  • Identify integrations in which a UEBA model would thrive.
    • E.g. endpoint, github, okta, office365, containers, GCP/AWS/Azure etc.
  • Identify general data sources in which a UEBA model could thrive.
    • E.g. users, hosts, sessions, assets, policies, API tokens, tenants, projects, repositories etc. This varies depending on the technology, integration or category.
  • Identify what kind of entities should be tracked per technology - data source combination
    • E.g. for Endpoint → users, hosts & sessions
    • E.g. for GitHub → users, pats, applications & repositories
    • E.g. for Okta → users, applications, API tokens & policies
  • Create regular, threshold and new_terms detection rules (in building block rule format) to look for previously unknown behavior per described action.
    • We can use our current detection rules repository to find a set of relevant rules.
  • Create threshold rules to query the results of the created detection rules, and alert depending on a combination of potential vectors.

This Meta will be focused on initial research and will therefore be in design. Any tasks checked from the tasklist means that some sort of PoC/Design is finished.

Tasks
Preview Give feedback

Most progress is being tracked in Approach to UEBA- V0.1

Issues

#3097
#3093

References

Infosec UEBA approach for GitHub
Overall Infosec Meta
Advanced Analytics Pack notes
Pros/Cons detection rule approach
@Aegrah Aegrah added the Epic label Sep 11, 2023
@Aegrah Aegrah self-assigned this Sep 11, 2023
@Aegrah
Copy link
Contributor Author

Aegrah commented Sep 11, 2023

Discovery PoC

Currently running 1 PoC with regards to a UEBA model to detect suspicious discovery activities within Windows environments. For this PoC, the following rules are set up:

  • UEBA - Discovery - Network Connections
  • UEBA - Discovery - Processes
  • UEBA - Discovery - Registry
  • UEBA - Discovery - System Information
  • UEBA - Discovery - Net View
  • UEBA - Discovery - Peripheral Devices
  • UEBA - Discovery - Group Policy Objects
  • UEBA - Discovery - System Information
  • UEBA - Discovery - Remote System Discovery
  • UEBA - Discovery - Services
  • UEBA - Discovery - System Time
  • UEBA - Discovery - System Security via WMIC
  • UEBA - Discovery - Group Policy Object
  • UEBA - Discovery - Directories
  • UEBA - Discovery - Administrator Accounts
  • UEBA - Discovery - Domain Trusts
  • UEBA - Discovery - ADFind

Image

These are all building block rules that check for discovery activity. Matching 3 or more of these alerts within an hour by the same user.name would trigger a Unusual Discovery Activity from User alert with severity high.

@Aegrah Aegrah mentioned this issue Sep 14, 2023
Closed
@Aegrah
Copy link
Contributor Author

Aegrah commented Oct 18, 2023

Tunings have been pushed in:
#3097
#3107

Isai has done some great work on GitHub UEBA in:
#3174

And a draft PR is set up containing the new workflow here:
#3112

@Aegrah
Copy link
Contributor Author

Aegrah commented Oct 18, 2023

Will need to discuss whether we will be using tags to create the UEBA packs, and if so, need to discuss with RAD how and when to implement this.

Once we gather rule tuning telemetry based on the new workflow and see that everything is working, we can push a first pack.

@Aegrah Aegrah mentioned this issue Oct 24, 2023
Closed
@botelastic
Copy link

botelastic bot commented Dec 17, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Dec 17, 2023
@botelastic
Copy link

botelastic bot commented Dec 24, 2023

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this as completed Dec 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Aegrah Aegrah

Labels
Meta stale 60 days of inactivity Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Aegrah