Custom Alert Collection

shaun_russell · December 9, 2020, 8:09pm

Community I would like to know if anyone has some quick not “out of the box” custom alerts they have built for IDR.

For example:
We have one we built for CyberArk that when an admin with specific permission grants access to the hidden admin password, it generates an alert. Granted only a select few people can do this, if its granted and we can’t audit it, that’s bad news.
where(‘header.device_event_class_id’=‘7’ AND ‘extension.suser’=‘Administrator’)’

kerry_leblanc · January 15, 2021, 2:52pm

I think there could be a place for sharing alerts. I also like the idea of sharing queries. Of course, all sanitized and generalized to protect private information, but I agree that there is value in sharing some of these. Of course a big issue is not everyone has the same logs coming into their IDR so there may need to be a format showing the alert, what logs it may work with, what type of events (ie. active directory, DNS, etc.)
I like that queries can be so simple and then used in an alert. FOr example these are some of mine and they are pretty generic. I run these with several logs selected, of course, you may or may not have the same logs. I use my DNS logs, Asset authentication, file modfification, raw and unparsed. Now they have EET which really helps.

where(“A member was removed from a security-enabled” AND “group”) *AD accountability

where(kali AND download) *only I should download this

where(printer AND OUTBOUND) *why should a printer talk to the outside?

Here is a crazy one looking for suspicious PS commands:
where(add-exfiltration OR add-persistence OR add-scrnsavebackdoor OR base64.b64decode OR base64tostring OR check-vm OR chocolatey.org OR copy-vss OR create-multiplesessions OR discover-psinterestingservices OR discover-psmsexchangeservers OR discover-psmssqlservers OR dllinjection OR do-exfiltration OR download-execute-ps OR downloadstring OR enable-duplicatetoken OR encodedcommand OR execute-command-mssql OR execute-dnstxt-code OR execute-ontime OR exploittable OR extract-wifi-creds OR find-allvulns OR find-avsignature OR find-ms OR find-ms13081 OR find-psserviceaccounts OR frombase64string OR )

holly_wilsey · January 15, 2021, 4:38pm

Thanks, that’s actually some good feedback around the idea of being able to share various product components. One of the things we’re currently working on is the ability to share event sources in our Library. We don’t have a timeline for its release right now, but I mention it because we do want to eventually expand in terms of sharing capabilities. Alerts and queries would be great for that.

If you have any particular ideas around what you’d like to see for sharing alerts/queries (or even event sources, since that’s in-progress), then feel free to share.