Kaspersky Unified Monitoring and Analysis Platform

Standard correlation rules

Standard correlation rules are used to identify complex patterns in processed events.

The search for patterns is conducted by using containers

The correlation rule resource window contains the following configuration tabs:

• General—used to specify the main settings of the correlation rule resource. On this tab, you can select the type of correlation rule.
• Selectors—used to define the conditions that the processed events must fulfill to trigger the correlation rule. Available parameters vary based on the selected resource type
• Actions—used to set the triggers that will activate when the conditions configured in the Selectors settings block are fulfilled. The Correlation rule resource must have at least one trigger. Available parameters vary based on the selected resource type

General tab

• Name (required)—a unique name for this type of resource. Must contain from 1 to 128 Unicode characters.
• Tenant (required)—the tenant that owns the correlation rule.
• Type (required)—a drop-down list for selecting the type of correlation rule. Select standard if you want to create a standard correlation rule.
• Identical fields (required)—the event fields that should be grouped in a Bucket. The hash of the values of the selected fields is used as the Bucket key. If the selector (see below) triggers, the selected fields will be copied to the correlation event.
• Unique fields—event fields that should be sent to the Bucket. If this parameter is set, the Bucket will receive only unique events. The hash of the selected fields' values is used as the Bucket key. If the Correlation rule triggers, the selected fields will be copied to the correlation event.
• Rate limit—maximum number of times a correlation rule can be triggered per second. The default value is 100.

  If correlation rules employing complex logic for pattern detection are not triggered, this may be due to the specific method used to count rule triggers in KUMA. In this case, try to increase the value of Rate limit to 1000000, for example.

• Window, sec (required)—bucket lifetime duration in seconds. This timer starts when the Bucket is created (when it receives the first event). The lifetime is not updated, and when it runs out, the On timeout trigger from the Actions group of settings is activated and the bucket is deleted. The On every threshold and On subsequent thresholds triggers can be activated more than once during the lifetime of the Bucket.
• Base events keep policy—this drop-down list is used to specify which base events must be stored in the correlation event:
  • first (default value)—this option is used to store the first base event of the event collection that triggered creation of the correlation event.
  • last—this option is used to store the last base event of the event collection that triggered creation of the correlation event.
  • all—this option is used to store all base events of the event collection that triggered creation of the correlation event.
• Priority—base coefficient used to determine the importance of a correlation rule. The default value is Low.
• Description—the description of a resource. Up to 256 Unicode characters.

Selectors tab

There can be multiple selectors in the standard resource kind. You can add selectors by clicking the Add selector button and can remove them by clicking the Delete selector button. Selectors can be moved by using the button.

For each selector the following parameters are available:

• Alias (required)—unique name of the event group that meets the conditions of the selector. This name is used to identify events in the filter. Must contain from 1 to 128 Unicode characters.
• Selector threshold (event count) (required)—the number of events that must be received by the selector to trigger.
• Filter (required)—used to set the criteria for determining events that should trigger the selector. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

  Creating a filter in resources

  1. In the Filter drop-down menu, select Create new.
  2. If you want to keep the filter as a separate resource, set the Save filter toggle switch. This can be useful if you decide to reuse the same filter across different services. The toggle switch is turned off by default.
  3. If you toggle the Save filter switch on, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
  4. In the conditions section, specify the conditions that the events must meet:
     • The Add condition button is used to add filtering conditions. You can select two values (two operands, left and right) and assign the operation you want to perform with the selected values. The result of the operation is either True or False.
       • In the operator drop-down list, select the function to be performed by the filter.

         Filter operators

         • = – the left operand equals the right operand.
         • <—the left operand is less than the right operand.
         • <=—the left operand is less than or equal to the right operand.
         • >—the left operand is greater than the right operand.
         • >=—the left operand is greater than or equal to the right operand.
         • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
         • contains—the left operand contains values of the right operand.
         • startsWith—the left operand starts with one of the values of the right operand.
         • endsWith—the left operand ends with one of the values of the right operand.
         • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
         • inActiveList—this filter has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
         • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
         • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
         • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.

         You can use the Match case check box in the Operator drop-down list to choose whether the values passed to the filter should be case sensitive. This check box is cleared by default.

       • In the Left operand and Right operand drop-down lists, select where the data to be filtered will come from. As a result of the selection, Advanced settings will appear. Use them to determine the exact value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key and the entry key field.
       • You can use the If drop-down list to choose whether you want to create a negative filter condition.

       Conditions can be deleted using the button.

     • The Add group button is used to add groups of conditions. Operator AND can be switched between AND, OR, and NOT values.

       A condition group can be deleted using the button.

     • Using the Add filter button you can add existing filter resources selected in the Select filter drop-down list to the conditions. You can navigate to a nested filter resource using the button.

       A nested filter can be deleted using the button.

• Recovery—this check box must be selected when the Correlation rule must NOT trigger if a certain number of events are received from the selector. By default, this check box is cleared.

If more than one selector is added to the correlation rule resource, the Join filter settings block becomes available. This filter is used to compare the fields of different events. The Join filter is configured by using the Filter drop-down list as described above.

Actions tab

There can be multiple triggers in a standard type of resource.

• On first threshold—this trigger activates when the Bucket registers the first triggering of the selector during the lifetime of the Bucket
• On subsequent thresholds—this trigger activates when the Bucket registers the second and all subsequent triggering of the selector during the lifetime of the Bucket
• On every threshold—this trigger activates every time the Bucket registers the triggering of the selector
• On timeout—this trigger activates when the lifetime of the Bucket ends, and is linked to the selector with the Recovery check box selected. In other words, this trigger activates if the situation detected by the correlation rule is not resolved within the defined amount of time.

Every trigger is represented as a group of settings with the following parameters available:

• Output—if this check box is selected, the correlation event will be sent for post-processing: for enrichment, for a response, and to destinations.
• Loop—if this check box is selected, the correlation event will be processed by the current correlation rule resource. This allows hierarchical correlation.

  If both check boxes are selected, the correlation rule will be sent for post-processing first and then to the current correlation rule selectors.

• Do not create alert—if this check box is selected, an alert will not be created when this correlation rule is triggered.
• Active lists update group of settings—used to assign the trigger for one or more operations with active lists. You can use the Add active list action and Delete active list action buttons to add or delete operations with active lists, respectively.

  Available settings:

  • Name (required)—this drop-down list is used to select the Active list resources.
  • Operation (required)—this drop-down list is used to select the operation that must be performed:
    • Get—get the Active list entry and write the values of the selected fields into the correlation event.
    • Set—write the values of the selected fields of the correlation event into the Active list by creating a new or updating an existing Active list entry. When the Active list entry is updated, the data is merged and only the specified fields are overwritten.
    • Delete—delete the Active list entry.
  • Key fields (required)—this is the list of event fields used to create the Active list entry. It is also used as the Active list entry key.
  • Mapping (required for Get and Set operations)—used to map Active list fields with events fields. More than one mapping rule can be set.

    The left field is used to specify the Active list field. The middle drop-down list is used to select event fields. The right field can be used to assign a constant to the Active list field is the Set operation was selected.

• Enrichment settings block—you can update the field values of correlation events by using enrichment rules similar to enrichment rule resources. These enrichment rules are stored in the Correlation rule resource where they were created. It is possible to have more than one enrichment rule. Enrichment rules can be added or deleted by using the Add enrichment or Remove enrichment buttons, respectively.
  • Type of source—you can select the type of enrichment in this drop-down list. Depending on the selected type, you may see advanced settings that will also need to be completed.

    Available types of enrichment:

    • constant

      This type of enrichment is used when a constant needs to be added to an event field.

      When choosing this type, you must specify the value to add to the event field in the Constant field. The value should not be longer than 255 Unicode characters. If you leave this field blank, the existing event field value will be cleared.

    • dictionary

      This type of enrichment is used if you need to add a value from dictionary.

      When this type is selected in the Dictionary name drop-down list, you must select the dictionary that will provide the values. In the Key fields settings block, you must use the Add field button to select the event fields whose values will be used for dictionary entry selection.

    • event

      This type of enrichment is used when you need to write a value from another event field to the current event field.

      When this type is selected in the Source field drop-down list, you must select the event field from where the value will be copied to the target field. Clicking the button opens the Conversion window in which you can, using the Add conversion button, create rules for modifying the original data before writing them to the KUMA event fields.

      Available conversions

      Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

      Available conversions:

      • lower—is used to make all characters of the value lowercase
      • upper—is used to make all characters of the value uppercase
      • regexp—is used to apply a RE2 regular expression to the value. When this conversion type is selected, the field appears where regular expression should be added.
      • substring—is used to delete characters in the position range specified in the Start and the End fields. These fields appear when this conversion type is selected.
      • replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
        • Replace chars—in this field you can specify the character sequence that should be replaced.
        • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
      • trim is used to remove the characters specified in the Chars field from trailing positions of the value. The field appears when this type of conversion is selected.
      • append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
      • prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
      • replace with regexp—is used to replace RE2 regular expression results with the character sequence.
        • Expression—in this field you can specify the regular expression which results that should be replaced.
        • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.

    • template

      This type of enrichment is used when you need to write a value obtained by processing Go templates into the event field.

      When this type is selected, a Go template must be specified in the Template field.

      Event field names are passed in the {{.EventField}} format, where EventField is the name of the event field from which the value must be passed to the script.

      Example: Attack on {{.DestinationAddress}} from {{.SourceAddress}}

  • Target field—in this drop-down list, you can select the KUMA event field that should receive the data.
  • Debug—you can use this drop-down list to enable logging of service operations.
  • Description—the description of a resource. Up to 256 Unicode characters.
  • Filter settings block—lets you select which events will be forwarded for enrichment. Configuration is performed as described above.
• Categorization settings group—used to change the categories of assets indicated in events. There can be several categorization rules. You can add or delete them by using the Add categorization or Remove categorization buttons. Only reactive categories can be added to assets or removed from assets.
  • Operation—this drop-down list is used to select the operation to perform on the category:
    • Add—assign the category to the asset.
    • Delete—unbind the asset from the category.
  • Event field—event field that indicates the asset requiring the operation.
  • Category ID—you can click the button to select the category requiring the operation. Clicking this button opens the Select categories window showing the category tree.