Correlation rules
The file that can be downloaded by clicking the link describes the correlation rules that are included in the distribution kit of Kaspersky Unified Monitoring and Analysis Platform version 3.0.3. It provides the scenarios covered by rules, the conditions of their use, and the necessary sources of events.
The correlation rules described in this document are contained in the SOC_package file in the KUMA distribution kit; the password for the file is SOC_package1. Only one version of the SOC rule set can be used at a time: either Russian or English.
You can import correlation rules into KUMA. See the "Importing resources" section of the online help: https://support.kaspersky.com/KUMA/3.0.3/en-US/242787.htm.
You can add imported correlation rules to correlators that your organization uses. See the online help section "Step 3. Correlation": https://support.kaspersky.com/KUMA/3.0.3/en-US/221168.htm.
Download the description of correlation rules contained in the SOC_package.xlsx file.
Automatic rule suppression
The SOC_package correlation rules package allows automatically suppressing the triggering of rules if the triggering frequency exceeds thresholds.
The automatic suppression option works as follows: if a rule is triggered more than 100 times in 1 minute and this behavior occurs at least 5 times in the span of 10 minutes, the rule is added to the stop list.
- When placed in the stop list for the first time, the rule is disabled for 1 hour.
- If this happens again, it is placed in the list for 24 hours.
- All subsequent occurrences place it in the list for 7 days.
The logic is described in the resources: rules, active lists, and dictionaries, which are located in the "SOC_package/System/Rule disabling by condition" directory.
You can customize settings and thresholds in accordance with your requirements.
To enable the automatic suppression option, set the enable setting to "1" in the "SOC_package/Integration/Rule disabling configuration" dictionary.
To disable the automatic suppression option, set the enable setting to "0" in the "SOC_package/Integration/Rule disabling configuration" dictionary.
By default, automatic suppression is enabled and the enable setting is set to "1".
Audit events
Correlation rules from the [OOTB] SOC Content resource set use the audit events that are listed in the Audit events table.
Audit events
Event source | Audit events |
|---|---|
KSC | GNRL_EV_VIRUS_FOUND, GNRL_EV_WEB_URL_BLOCKED, KLSRV_HOST_STATUS_CRITICAL, KLSRV_HOST_STATUS_WARNING, KLSRV_HOST_STATUS_OK |
Microsoft Windows, PowerShell/Operational log | 4104, 4103 |
Microsoft Windows, Security log | 1102, 4624, 4657, 4662, 4663, 4656, 4688 (+command line), 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4768, 4769, 4771, 5140, 5145 |
Microsoft Windows, System log | 7036, 7045 |
Microsoft Windows: Windows, Windows Defender\Operational log | 1006, 1015, 1116, 1117, 5001, 5010, 5012, 5101 |
Linux, auditd events | USER_AUTH, USER_LOGIN, execve |
KATA | TAA has tripped on events database |
KUMA | Events created as a result of correlation rules triggering. |
Network devices | Network device events containing the source IP address and port and the destination IP address and port. |
